Kitchen EC2 instance profiles and assume role problem

Chef Infra (archive)
1

Hi,

We have and Enterprise seupt in AWS with multiple accounts and what I need is to run Kitchen on an EC2 instance in one account which then runs the kitchen tests in the other account. The catch is that we are not allowed to have IAM users, so I can't simply use keys but I have to use Instance Profiles. For the AWS CLI and Terraform this works perfectly well (I am testing on the Terraform instance since I know everything works on there). My credentials file looks like this:

    [prod]
    credential_source = Ec2InstanceMetadata
    role_arn = arn:aws:iam::<account_id>:role/AdminAccessFromProd
    [test]
    credential_source = Ec2InstanceMetadata
    role_arn = arn:aws:iam::<account_id>:role/AdminAccessFromProd

The CLI works so basically the setup is good:

    % aws --profile test ec2 describe-key-pairs
    {
      "KeyPairs": [
          {
              "KeyName": "key-in-test",
              "KeyFingerprint": "removed"
          }
      ]
    }

But when I try to run kitchen with "shared_credentials_profile: test" in my kitchen.yml I get an error that is very weird:

    -----> Destroying <default-amzn>...
    >>>>>> ------Exception-------
    >>>>>> Class: Kitchen::ActionFailed
    >>>>>> Message: 1 actions failed.
    >>>>>>     Failed to complete #create action: [Profile test has a role_arn, but no source_profile.] on default-amzn
    >>>>>> ----------------------
    >>>>>> Please see .kitchen/logs/kitchen.log for more details
    >>>>>> Also try running `kitchen diagnose --all` for configuration

I tried playing around with the settings and this source_profile with with no success.
To make sure my kitchen.yml is correct I generated temporary credentials which last only one hour from my windows laptop and copied them to the credentials file. This worked like a charm with all settings, firewalls etc, so I am pretty sure that something with the credentials file or the assume role call in kitchen-ec2 is bugged.
Was anyone ever successful on a setup like this?

% chef --version                                                                                                            :(
Chef Development Kit Version: 3.12.10
chef-client version: 14.14.29
delivery version: master (4b21ec7e07fdfa82e86aa80e4f2372dde8e368bb)
berks version: 7.0.8
kitchen version: 1.25.0
inspec version: 3.9.3
% chef exec gem list --local | grep -E "aws|kitchen"
aws-eventstream (1.0.3)
aws-sdk (2.11.390)
aws-sdk-core (2.11.390)
aws-sdk-resources (2.11.390)
aws-sigv4 (1.1.0)
chef-provisioning-aws (3.0.7)
fog-aws (2.0.1)
kitchen-azurerm (0.14.9)
kitchen-digitalocean (0.10.5)
kitchen-dokken (2.8.0)
kitchen-ec2 (2.5.0)
kitchen-google (2.0.1)
kitchen-hyperv (0.5.3)
kitchen-inspec (1.1.0)
kitchen-vagrant (1.6.0)
test-kitchen (1.25.0)