The issue is that pass role is not intended to change accounts, just limit the permissions used when deploying (to a specific role).
You should be able to specify a profile that uses a cross-account role (see the CLI docs for more detail), as long as you don’t require MFA.
If you need MFA (like I do), you’ll need to do a “manual” STS assume role to set my local environment variables. The STS command is relatively quick, so I’ve just been wrapping my commands with this script (which requires jq):
#!/bin/bash
CREDS=$(aws sts assume-role --role-arn \
<YOUR_ROLE_ARN> \
--role-session-name my-sls-session --out json)
export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r '.Credentials.SessionToken')
echo $@
$@
This assumes the role you want to use, and runs the command you passed it (it’s not actually SLS specific) e.g. ./script.sh sls deploy.