Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Assume an IAM role. An interesting way of doing IAM roles is to give the instance permissions to assume another role, but no actual permissions by default. I got this idea while setting up security monkey:
# Assume the given role, and print out a set of environment variables
# for use with aws cli.
# To use:
# $ eval $(./
set -e
# Clear out existing AWS session environment, or the awscli call will fail
# Old ec2 tools use other env vars
NAME="${4:-$LOGNAME@`hostname -s`}"
# KST=access*K*ey, *S*ecretkey, session*T*oken
KST=(`aws sts assume-role --role-arn "arn:aws:iam::$ACCOUNT:role/$ROLE" \
--role-session-name "$NAME" \
--duration-seconds $DURATION \
--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' \
--output text`)
echo 'export AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION:-us-east-1}'
echo "export AWS_ACCESS_KEY_ID='${KST[0]}'"
echo "export AWS_ACCESS_KEY='${KST[0]}'"
echo "export AWS_SECRET_ACCESS_KEY='${KST[1]}'"
echo "export AWS_SECRET_KEY='${KST[1]}'"
echo "export AWS_SESSION_TOKEN='${KST[2]}'" # older var seems to work the same way
echo "export AWS_SECURITY_TOKEN='${KST[2]}'"
echo "export AWS_DELEGATION_TOKEN='${KST[2]}'"
Copy link

jhmartin commented Oct 30, 2017

It is reasonable to leave line 14 in if you logged in via a federated token in the first place.

Copy link

maccopper2 commented Jun 12, 2018


Another way to achieve the same result:

Write a profile, which automatically assumes the role.
aws configure --profile new-profile set role_arn arn:aws:iam::$ACCOUNT:role/$ROLE

To give credentials to the new profile, you must use one of the following lines:

  1. aws configure --profile new-profile set source_profile default
  2. aws configure --profile new-profile set credential_source Ec2InstanceMetadata
  3. aws configure --profile new-profile set credential_source EcsContainer

Line 1) was correct on my personal pc, because I used the default profile.
Line 3) was correct when I tested the code with AWS CodeBuild. The new profile used the credentials of the codepipeline-role.

Afterwards, you may use the new profile, example:
aws --profile new-profile s3 ls s3://bucket-in-target-account


Regards, maccopper2

Copy link

mattrigg9 commented May 21, 2020

  1. aws configure --profile new-profile set credential_source EcsContainer

For posterity, it's also worth mentioning that this particular command also works when assuming roles in CodeBuild when running commands from a buildspec.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment