-
-
Save ambakshi/ba0fe456bb6da24da7c2 to your computer and use it in GitHub Desktop.
#!/bin/bash | |
# | |
# Assume the given role, and print out a set of environment variables | |
# for use with aws cli. | |
# | |
# To use: | |
# | |
# $ eval $(./iam-assume-role.sh) | |
# | |
set -e | |
# Clear out existing AWS session environment, or the awscli call will fail | |
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN | |
# Old ec2 tools use other env vars | |
unset AWS_ACCESS_KEY AWS_SECRET_KEY AWS_DELEGATION_TOKEN | |
ROLE="${1:-SecurityMonkey}" | |
ACCOUNT="${2:-123456789}" | |
DURATION="${3:-900}" | |
NAME="${4:-$LOGNAME@`hostname -s`}" | |
# KST=access*K*ey, *S*ecretkey, session*T*oken | |
KST=(`aws sts assume-role --role-arn "arn:aws:iam::$ACCOUNT:role/$ROLE" \ | |
--role-session-name "$NAME" \ | |
--duration-seconds $DURATION \ | |
--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' \ | |
--output text`) | |
echo 'export AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION:-us-east-1}' | |
echo "export AWS_ACCESS_KEY_ID='${KST[0]}'" | |
echo "export AWS_ACCESS_KEY='${KST[0]}'" | |
echo "export AWS_SECRET_ACCESS_KEY='${KST[1]}'" | |
echo "export AWS_SECRET_KEY='${KST[1]}'" | |
echo "export AWS_SESSION_TOKEN='${KST[2]}'" # older var seems to work the same way | |
echo "export AWS_SECURITY_TOKEN='${KST[2]}'" | |
echo "export AWS_DELEGATION_TOKEN='${KST[2]}'" |
Hi!
Another way to achieve the same result:
Write a profile, which automatically assumes the role.
aws configure --profile new-profile set role_arn arn:aws:iam::$ACCOUNT:role/$ROLE
To give credentials to the new profile, you must use one of the following lines:
- aws configure --profile new-profile set source_profile default
- aws configure --profile new-profile set credential_source Ec2InstanceMetadata
- aws configure --profile new-profile set credential_source EcsContainer
Line 1) was correct on my personal pc, because I used the default profile.
Line 3) was correct when I tested the code with AWS CodeBuild. The new profile used the credentials of the codepipeline-role.
Afterwards, you may use the new profile, example:
aws --profile new-profile s3 ls s3://bucket-in-target-account
Documentation: https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#using-aws-iam-roles
Regards, maccopper2
- aws configure --profile new-profile set credential_source EcsContainer
For posterity, it's also worth mentioning that this particular command also works when assuming roles in CodeBuild when running commands from a buildspec.
It is reasonable to leave line 14 in if you logged in via a federated token in the first place.