Role Assumption without Named Profile

We're familiar with the use of --s3-profile for the typical use case of rclone assuming a role using existing AWS config file. Our current use case, which we thought was supported, is more complex -

"Access an AWS bucket using an assumed role without any file-based configuration"

It will be extremely useful in terms of scripting transfers using scripts shared within a team, as it eliminates the need for file based configuration.

The ideal case doesn't even require an RClone config (illustrated below), but we'd be delighted with just a way to specify and drive the role assumption without a named profile, driven entirely by environment variables.

Stating the obvious, the access and secret keys are easy in ENV ... the role to assume without a named profile not so much!

We have a script we think "ought" to work, but it fails with a 403, and the cloudtrails in both the account with the "hard" aws creds and the target account with the to-be-assumed role show no requests, rejected or otherwise.

The failing script (sanitized):

#!/bin/bash
# Set AWS credentials
export AWS_ACCESS_KEY_ID=SomeAWSAccessKeyWithAssumeRolePerms
export AWS_SECRET_ACCESS_KEY=TheCorrespondingSecretKey

# Set role to assume
export AWS_ROLE_ARN=TheFullyQualifiedARNofAssumableRoleWithS3Perms
export AWS_ROLE_SESSION_NAME=my-rclone-session

# Configure rclone
export RCLONE_CONFIG_MYREMOTE_TYPE=s3
export RCLONE_CONFIG_MYREMOTE_PROVIDER=AWS
export RCLONE_CONFIG_MYREMOTE_ENV_AUTH=true
export RCLONE_CONFIG_MYREMOTE_ASSUME_ROLE_ARN=$AWS_ROLE_ARN

# Run rclone command
rclone ls myremote:BucketNameWithoutAnyProtocol -vv

Our rclone version is:

rclone v1.62.2-DEV
- os/version: centos 7.9.2009 (64 bit)
- os/kernel: 3.10.0-1160.119.1.el7.x86_64 (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.18
- go/linking: dynamic
- go/tags: none

And the failing result with -vv in place is:

$ vi testRcloneNoConfig.sh 
[pattcornerri@irbdev12 no-commit]$ ./testRcloneNoConfig.sh 
2024/10/09 10:13:50 DEBUG : rclone: Version "v1.62.2-DEV" starting with parameters ["rclone" "--config" "/dev/null" "ls" "BucketNameWithoutAnyProtocol" "-vv"]
2024/10/09 10:13:50 DEBUG : Creating backend with remote "myremote:x20220908-rpc-1"
2024/10/09 10:13:50 DEBUG : Using config file from ""
2024/10/09 10:13:50 DEBUG : Setting type="s3" for "myremote" from environment variable RCLONE_CONFIG_MYREMOTE_TYPE
2024/10/09 10:13:50 DEBUG : Setting provider="AWS" for "myremote" from environment variable RCLONE_CONFIG_MYREMOTE_PROVIDER
2024/10/09 10:13:50 DEBUG : Setting env_auth="true" for "myremote" from environment variable RCLONE_CONFIG_MYREMOTE_ENV_AUTH
2024/10/09 10:13:50 DEBUG : myremote: detected overridden config - adding "{cInaD}" suffix to name
2024/10/09 10:13:50 DEBUG : Setting provider="AWS" for "myremote" from environment variable RCLONE_CONFIG_MYREMOTE_PROVIDER
2024/10/09 10:13:50 DEBUG : Setting env_auth="true" for "myremote" from environment variable RCLONE_CONFIG_MYREMOTE_ENV_AUTH
2024/10/09 10:13:50 DEBUG : fs cache: renaming cache item "myremote:x20220908-rpc-1" to be canonical "myremote{cInaD}:BucketNameWithoutAnyProtocol"
2024/10/09 10:13:50 DEBUG : 4 go routines active
2024/10/09 10:13:50 Failed to ls: AccessDenied: Access Denied
        status code: 403, request id: XXX, host id: YYY

We're not attached to this specific method, just looking for some way to use rclone with an assumed role but without the AWS config files/named profile

that is a very old, custom complied version of rclone.
since then, rclone has switched from deprecated AWS SDKv1 to AWS SDKv2

should rclone selfupdate or https://rclone.org/install/#script-installation
and test again


is that a valid rclone flag?


for a deeper look at the api calls use --dump flag


not to familar with aws roles, but maybe need an endpoint, region, and/or session token ?