To assume an AWS role in the CLI, I do the following command:
aws sts assume-role --role-arn arn:aws:iam::123456789123:role/myAwesomeRole --role-session-name test --region eu-central-1
This gives to me an output that follows the schema:
{
"Credentials": {
"AccessKeyId": "someAccessKeyId",
"SecretAccessKey": "someSecretAccessKey",
"SessionToken": "someSessionToken",
"Expiration": "2020-08-04T06:52:13+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "idOfTheAssummedRole",
"Arn": "theARNOfTheRoleIWantToAssume"
}
}
And then I manually copy and paste the values of AccessKeyId
, SecretAccessKey
and SessionToken
in a bunch of exports like this:
export AWS_ACCESS_KEY_ID="someAccessKeyId"
export AWS_SECRET_ACCESS_KEY="someSecretAccessKey"
export AWS_SESSION_TOKEN="someSessionToken"
To finally assume the role.
How can I do this in one go? I mean, without that manual intervention of copying and pasting the output of the aws sts ...
command on the exports
.
To create a role for an AWS service (console)In the navigation pane of the IAM console, choose Roles, and then choose Create role. For Select trusted entity, choose AWS service. Choose the use case for your service. Use cases are defined by the service to include the trust policy required by the service.
Create environment variables to assume the IAM role and verify access. The AWS CLI command should output the ARN as arn:aws:sts::123456789012:assumed-role/example-role/AWSCLI-Session instead of arn:aws:iam::123456789012:user/Bob, which verifies that you assumed the example-role.
Asking for help, clarification, or responding to other answers. Making statements based on opinion; back them up with references or personal experience.
To create a role for your account, choose This account. To create a role for another account, choose Another AWS account and enter the Account ID to which you want to grant access to your resources. The administrator of the specified account can grant permission to assume this role to any IAM user in that account.
No jq
, no eval
, no multiple exports - using the printf
built-in (i.e. no credential leakage through /proc
) and command substitution:
export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
$(aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/MyAssumedRole \
--role-session-name MySessionName \
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
--output text))
Finally, a colleague shared with me this awesome snippet that gets the work done in one go:
eval $(aws sts assume-role --role-arn arn:aws:iam::123456789123:role/myAwesomeRole --role-session-name test | jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\nexport AWS_SESSION_TOKEN=\(.SessionToken)\n"')
Apart from the AWS CLI, it only requires jq
which is usually installed in any Linux Desktop.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With