Question 18479 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Equivalent to "switch role" in AWS Console in AWS CLI – Amazon Web Sevices

On the AWS console, I can switch between different roles (see screenshot).

enter image description here

I am using a Docker Image where I am running Linux. I have also a credentials file with temporary AWS credentials. I can start the docker container setting the AWS_PROFILE to one of the roles in my credentials file. Then, I would like to "switch" the role to a different one defined in IAM.

How can I do this? Is this possible?

Thanks!

Tags:

2

Answers


  1. 0

    You can assume the role. Using the CLI it would look like:

    aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name AWSCLI-Session

    The output of the command contains an access key, secret key, and session token that you can use to authenticate to AWS:

    {
    "AssumedRoleUser": {
        "AssumedRoleId": "AROA3XFRBF535PLBIFPI4:s3-access-example",
        "Arn": "arn:aws:sts::123456789012:assumed-role/xaccounts3access/s3-access-example"
    },
    "Credentials": {
        "SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
        "SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
        "Expiration": "2016-03-15T00:05:07Z",
        "AccessKeyId": "ASIAJEXAMPLEXEG2JICEA"
    }
}

    Now you can set your environment variables to those outputs and you’ll be using the new role.

    In Python it would look something like this:

    import boto3
session = boto3.Session(profile_name="learnaws-test")

sts = session.client("sts")
response = sts.assume_role(
    RoleArn="arn:aws:iam::xxx:role/s3-readonly-access",
    RoleSessionName="learnaws-test-session"
)

new_session = boto3.Session(aws_access_key_id=response['Credentials']['AccessKeyId'],
                      aws_secret_access_key=response['Credentials']['SecretAccessKey'],
                      aws_session_token=response['Credentials']['SessionToken'])
s3 = new_session.client("s3")
s3.list_buckets()
    Login or Signup to reply.
  2. 0

    You can store an IAM Role as a profile in the AWS CLI and it will automatically assume the role for you.

    Here is an example from Using an IAM role in the AWS CLI – AWS Command Line Interface:

    [profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
source_profile = user1

    This is saying:

    • If a user specifies --profile marketingadmin
    • Then use the credentials of profile user1
    • To call AssumeRole on the specified role

    This means you can simply call a command like this and it will assume the role and use the returned credentials automatically:

    aws s3 ls --profile marketingadmin

    See also: AWS sts assume role in one command

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search