Using Powershell to assume roles in different AWS accounts and regions using use

Hi All,
I am trying to write a powershell script. What I want to do is use use-stsRole to assume a role in multiple AWS accounts which we own and run a simple Get-EC2SecurityGroup command to list all security groups we have which match a filter. We have 10 different AWS accounts and the role has been setup correctly. We use MFA also to the root account. The code works in that it will list all the security groups in the root account, but will not show for any other accounts. It just keeps looping over the root account the same number of times as equal to the number of accounts i have listed in the accounts.txt file.
param(
[Parameter(Mandatory=$True,Position=1)]
   [string]$IAMname,

[Parameter(Mandatory=$True,Position=2)]
[string]$MFAcode
)

$UserARN = “arn:aws:iam::111111111111:mfa/” + $IAMname

Write-host $UserARN
Write-host $MFACode

$Regions = (Get-SSMParametersByPath -Path ‘/aws/service/global-infrastructure/regions’ -region eu-west-1).Value

$Accounts = get-content -Path .\Accounts.txt

foreach ($Account in $Accounts){

$RoleArn </span><span class="pun">=</span> <span class="str">"arn:aws:iam::${Account}:role/name"</span><span class="pln">
$Authtoken </span><span class="pun">=</span> <span class="pun">(</span><span class="typ">Use</span><span class="pun">-</span><span class="typ">STSRole</span> <span class="pun">-</span><span class="typ">Region</span><span class="pln"> eu</span><span class="pun">-</span><span class="pln">west</span><span class="pun">-</span><span class="lit">1</span> <span class="pun">-</span><span class="typ">RoleArn</span><span class="pln"> $Accounts </span><span class="pun">-</span><span class="typ">RoleSessionName</span> <span class="str">"name"</span> <span class="pun">-</span><span class="typ">TokenCode</span><span class="pln"> $MFAcode </span><span class="pun">-</span><span class="typ">SerialNumber</span><span class="pln"> $UserARN</span><span class="pun">).</span><span class="typ">Credentials</span><span class="pln">

foreach </span><span class="pun">(</span><span class="pln">$Region </span><span class="kwd">in</span><span class="pln"> $Regions</span><span class="pun">){</span>

    <span class="typ">Get</span><span class="pun">-</span><span class="pln">EC2SecurityGroup </span><span class="pun">-</span><span class="typ">Filter</span> <span class="pun">@{</span><span class="typ">Name</span><span class="pun">=</span><span class="str">"ip-permission.cidr"</span><span class="pun">;</span><span class="typ">Values</span><span class="pun">=</span><span class="str">"x.x.x.x/x"</span><span class="pun">}</span> <span class="pun">-</span><span class="typ">Region</span><span class="pln"> $Region </span><span class="pun">-</span><span class="typ">AccessKey</span><span class="pln"> $Authtoken</span><span class="pun">.</span><span class="typ">Credentials</span><span class="pun">.</span><span class="typ">AccessKeyId</span> <span class="pun">-</span><span class="typ">SecretKey</span><span class="pln"> $Authtoken</span><span class="pun">.</span><span class="typ">Credentials</span><span class="pun">.</span><span class="typ">SecretAccessKey</span> <span class="pun">-</span><span class="typ">SessionToken</span><span class="pln"> $Authtoken</span><span class="pun">.</span><span class="typ">Credentials</span><span class="pun">.</span><span class="typ">SessionToken</span>
<span class="pun">}</span>

}

Hello Hiten,

Can you please confirm Line 22 is correct? I show you are using -RoleArn $Accounts not $Account. I also see you are are applying a value to $RoleARN multiple times as well. I’ve revamped the code below to make it easier to read by using splatting method.

foreach ($Account in $Accounts){
   $RoleArn="arn:aws:iam::${Account}:role/name"
   $STSRole=@{
      Region          = 'eu-west-1'
      RoleARN         = $Account
      RoleSessionName = "name"
      SerialNumber    = $UserARN
      TokenCode       = $MFAcode
   }
   $Authtoken= (Use-STSRole@STSRole).Credentials
   foreach ($Region in $Regions){
      $EC2SecurityGroup=@{
         Filter       = @{Name="ip-permission.cidr";Values="x.x.x.x/x"}
         Region       = $Region
         AccessKey    = $Authtoken.Credentials.AccessKeyId
         SecretKey    = $Authtoken.Credentials.SecretAccessKey
         SessionToken = $Authtoken.Credentials.SessionToken
   }
   Get-EC2SecurityGroup@EC2SecurityGroup
}

}