Comment 11 for bug 2052410

Hey Diko,

I am still not sure we are on the same page at the moment. IAM Roles are very useful in a controller context as it allows a controller to use credentials from the IAM metadata service and assume a roll to perform provisioning tasks (automation) on behalf of a Juju deployments.

We don't support assuming roles from the CLI yet. But a common design pattern for multiple AWS accounts is to have one central account holding all of the IAM users and allowing them to assume a role into the other org accounts to get the needed permissions etc. This is a case we don't yet support with the Juju cli.

To track back to this bug. If we just run a vanilla `juju bootstrap aws` using local credentials with a secret key from the IAM console we are seeing the bad credentials error message pop up? In this case what w e are poorly trying to convey is that AWS have rejected the credentials the user has provided to Juju.

Assuming the above is correct we need to dig into the AWS side of things and figure out what about the credentials AWS is rejecting. I have seen AWS IAM access policies that restrict access keys being used if there is no MFA information provided. Have you put these keys into the aws cli and see if you are able to describe all ec2 machines for a region?