Menu
I tried to use the role as:
~/.aws/credentials
[default]
role_arn=arn:aws:iam::xxxxxxx:role/yyyy
but i get error:
Partial credentials found in assume-role, missing: source_profile or credential_source
so it seems IAM role cannot replace
[default]
aws_access_key_id = AAAAAAAAAAAAAAAAAAAAAAAA
aws_secret_access_key = BBBBBBBBBBBBBBBBBBBBBBBBBBB
since as per http://boto3.readthedocs.io/en/latest/guide/configuration.html
# In ~/.aws/credentials:
[development]
aws_access_key_id=foo
aws_access_key_id=bar
# In ~/.aws/config
[profile crossaccount]
role_arn=arn:aws:iam:...
source_profile=development
I would still have to use keys, which could be a security risk, even though not being used in the code
Is there a way to use boto3 with admin privileges without using aws API credentials?
so basically:
$curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
test boto3 script
#!/usr/bin/env python
import boto3
ec2_client = boto3.client('ec2')
def main():
vpcs = ec2_client.describe_vpcs()
for vpc_info in vpcs['Vpcs']:
print(vpc_info['VpcId'])
if name == "main":
main()
I came across an Application on github which addresses this issue:
https://github.com/AdRoll/hologram
818
If you have a role attached to the EC2 instance you can use:
~/.aws/config
[default]
credential_source=Ec2InstanceMetadata
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html
credential_source - The credential provider to use to get credentials for the initial assume-role call. This parameter cannot be provided alongside source_profile. Valid values are:
Environment to pull source credentials from environment variables.
Ec2InstanceMetadata to use the EC2 instance role as source credentials.
EcsContainer to use the ECS container credentials as the source credentials.
189
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
