assume a role with AWS-vault termporary credentials

[teto]

I think I lack knowledge about how AWS works. This might be a generic AWS question but also could be worth making clearer.

I have a role ROLE I successfully assume with

$ aws-vault exec --no-session sandbox aws sts assume-role --role-arn "arn:aws:iam::REDACTED:role/redacted" --role-session-name toto
....
SUCCESSFUL_RESULT
....

now if I run the ~same (without --no-session) command from a aws-vault exec sandbox aws sts assume-role --role-arn "arn:aws:iam::REDACTED:role/redacted" --role-session-name toto

I get

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::REDACTED:user/redacted is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::REDACTED:role/redacted

arn:aws:iam::REDACTED:user/redacted IS allowed to assume the role since outside aws-vault it works. Apparently aws-vault gets me into a special kind of session for my own user (short term credentials) https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html that could limit my capabilities to assume a role ?
Reading the doc https://github.com/99designs/aws-vault/blob/master/USAGE.md#session-duration (and the aws official one) I could not find anything about these limitations . did I miss anything in my IAM configuration or is this an aws-vault fault ? would it work with mfa ?

[karlkovaciny]

This error also seems to be blocking me from using AWS Vault to provide SSO credentials to Docker as described in https://github.com/99designs/aws-vault/blob/master/USAGE.md#docker.

[seldon007]

You can assume the role as part of your aws-vault profile setup e.g.

[profile sandbox]
mfa_serial=arn:aws:iam::xxxxxx:mfa/my-user
role_arn=arn:aws:iam::xxxxxx:role/REDACTED

then you should have assumed it via stort term credentitals
aws-vault --debug exec sandbox -- aws sts get-caller-identity

It that does not work, you need to look at your iam user/role configuration