The plugin should be able to retrieve credentials using secondary IAM roles, and present them as one combined list of credentials.

The most common use case is to do cross-account secret lookups.

Because Moto does not yet support cross-account assume-role operations, this feature is being developed incrementally behind a beta flag. You can enable it at your own risk.

Use case: Separate AWS accounts for deployment environments

• I have a Jenkins in my environment-independent tools account.
• I have dev secrets in my dev account.
• I have production secrets in my production account.
• I want Jenkins to access secrets in the dev and production accounts.