Using the AWS SDK for JavaScript, I want to use a default profile that assumes the a role. This works perfectly with the AWS CLI. Using node.js with the SDK does not assume the role, but only uses credentials to the AWS account that the access key belongs to. I've found this documentation but it does not deal with assuming a role: http://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-node-credentials-shared.html
Any tips?
This is my config file:
[default] role_arn = arn:aws:iam::123456789:role/Developer source_profile = default output = json region = us-east-1
You can assume a role by calling an AWS CLI or API operation or by using a custom URL. The method that you use determines who can assume the role and how long the role session can last. ¹ Using the credentials for one role to assume a different role is called role chaining.
To get your access keys (consisting of an access key ID and secret access key), go to the IAM console at https://console.aws.amazon.com/iam/ . Choose Users from the navigation bar and then choose your AWS user name (not the check box). Choose the Security credentials tab, and then choose Create access key.
If you're using the AWS SDK, you can use the assume role method of the STS. You can also assume the role via CLI.
The right way to use multiple cross account roles in the code:
Get the credentials for the cross account role with sts and use those credentials every time you need to get a service authenticated with that specific cross account role.
Example:
Create a function to get the cross account credentials like:
const AWS = require('aws-sdk'); const sts = new AWS.STS(); const getCrossAccountCredentials = async () => { return new Promise((resolve, reject) => { const timestamp = (new Date()).getTime(); const params = { RoleArn: 'arn:aws:iam::123456789:role/Developer', RoleSessionName: `be-descriptibe-here-${timestamp}` }; sts.assumeRole(params, (err, data) => { if (err) reject(err); else { resolve({ accessKeyId: data.Credentials.AccessKeyId, secretAccessKey: data.Credentials.SecretAccessKey, sessionToken: data.Credentials.SessionToken, }); } }); }); }
And then you can use it without problems like:
const main = async () => { // Get the Cross account credentials const accessparams = await getCrossAccountCredentials(); // Get the ec2 service for current account const ec2 = new AWS.EC2(); // Get the ec2 service for cross account role const ca_ec2 = new AWS.EC2(accessparams); // Get the autoscaling service for current account const autoscaling = new AWS.AutoScaling(); // Get the autoscaling service for cross account role const ca_autoscaling = new AWS.AutoScaling(accessparams); // This will describe instances within the cross account role ca_ec2.describeInstances(...) // This will describe instances within the original account ec2.describeInstances(...) // Here you can access both accounts without issues. }
Benefits:
The wrong way:
DO NOT USE AWS.config.update
to override the global credentials AWS.config.credentials
!!!
Override the global credentials is a bad practice!! This is same situation as @Brant's approved solution here but it is no good solution! Here is why:
const main = async () => { // Get the Cross account credentials const accessparams = await getCrossAccountCredentials(); // Get the ec2 service for current account const ec2 = new AWS.EC2(); // Overwrite the AWS credentials with cross account credentilas AWS.config.update(accessparams); // Get the ec2 service for cross account role const ca_ec2 = new AWS.EC2(); // This will describe instances within the cross account role ca_ec2.describeInstances(...) // This will ALSO describe instances within the cross account role ec2.describeInstances(...) // WARNING: Here you only will access the cross account role. You may get // confused on what you're accessing!!! }
Issues:
AWS.config.credentials
directly or by AWS.config.update
, will override current credentials.AWS.config.credentials
and update it again to restore it. It is hard to control when you use each account, it is hard to trace execution context, and easy to mess up by targeting the wrong account.Again, DO NOT USE AWS.config.update
to override the global credentials AWS.config.credentials
!!!
If you need to run the code entirely in another account:
If you need to execute your code entirely for another account without switching between credentials. You can follow the advice from @Kanak Singhal and store the role_arn in the config file and add AWS_SDK_LOAD_CONFIG="true"
to the environment variable along with AWS_PROFILE="assume-role-profile"
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With