amcginlay/assume-iam-role.sh

## assume-iam-role.sh
How to assume an IAM role using the AWS CLI
===========================================
# from admin session
# TODO fix this to eliminate ACCOUNT_ID env var
ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
aws iam create-user --user-name test-user
cat << EOF > test-policy.json
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": [
            "ec2:Describe*",
            "iam:ListRole",
            "sts:AssumeRole"
        ],
        "Resource": "*"
    }
}
EOF
aws iam create-policy --policy-name test-policy --policy-document file://test-policy.json
aws iam attach-user-policy --user-name test-user --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/test-policy
aws iam list-attached-user-policies --user-name test-user
aws iam create-access-key --user-name test-user
        "AccessKeyId": "whatever"
        "SecretAccessKey": "whatever",
cat << EOF > test-role-trust-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": { "AWS": "arn:aws:iam::${ACCOUNT_ID}:root" },
            "Action": "sts:AssumeRole"
        }
    ]
}
EOF
aws iam create-role --role-name test-role --assume-role-policy-document file://test-role-trust-policy.json
aws iam attach-role-policy --role-name test-role --policy-arn arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess
aws iam list-attached-role-policies --role-name test-role

# from test-user session (log in with test-user CLI creds)
aws configure
aws sts get-caller-identity
# following will work
aws ec2 describe-instances --query "Reservations[*].Instances[*].[VpcId,InstanceId,ImageId,InstanceType]"
# following will fail
aws rds describe-db-instances --query "DBInstances[*].[DBInstanceIdentifier,DBName,DBInstanceStatus,AvailabilityZone,DBInstanceClass]"

# from admin session
aws sts assume-role --role-arn arn:aws:iam::${ACCOUNT_ID}:role/test-role --role-session-name test-session
aws iam list-roles --query "Roles[?RoleName == 'test-role'].[RoleName,Arn]"
# exported env vars override config
export AWS_ACCESS_KEY_ID="<ASSUMED_ACCESS_KEY_ID>"
export AWS_SECRET_ACCESS_KEY="<ASSUMED_SECRET_ACCESS_KEY>"
export AWS_SESSION_TOKEN="<AWS_SESSION_TOKEN>"
aws sts get-caller-identity
# following will now FAIL
aws ec2 describe-instances --query "Reservations[*].Instances[*].[VpcId,InstanceId,ImageId,InstanceType]"
# following will now WORK
aws rds describe-db-instances --query "DBInstances[*].[DBInstanceIdentifier,DBName,DBInstanceStatus,AvailabilityZone,DBInstanceClass]"

unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
aws sts get-caller-identity

cat << EOF >> ~/.aws/config

[profile test-role-profile]
role_arn = arn.aws.iam::${ACCOUNT_ID}:role/test-role
source_profile = default
region = us-east-1
EOF
aws sts get-caller-identity --profile test-role-profile # <--- last line didn't work for me!
	How to assume an IAM role using the AWS CLI
	===========================================
	# from admin session
	# TODO fix this to eliminate ACCOUNT_ID env var
	ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
	aws iam create-user --user-name test-user
	cat << EOF > test-policy.json
	{
	"Version": "2012-10-17",
	"Statement": {
	"Effect": "Allow",
	"Action": [
	"ec2:Describe*",
	"iam:ListRole",
	"sts:AssumeRole"
	],
	"Resource": "*"
	}
	}
	EOF
	aws iam create-policy --policy-name test-policy --policy-document file://test-policy.json
	aws iam attach-user-policy --user-name test-user --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/test-policy
	aws iam list-attached-user-policies --user-name test-user
	aws iam create-access-key --user-name test-user
	"AccessKeyId": "whatever"
	"SecretAccessKey": "whatever",
	cat << EOF > test-role-trust-policy.json
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": { "AWS": "arn:aws:iam::${ACCOUNT_ID}:root" },
	"Action": "sts:AssumeRole"
	}
	]
	}
	EOF
	aws iam create-role --role-name test-role --assume-role-policy-document file://test-role-trust-policy.json
	aws iam attach-role-policy --role-name test-role --policy-arn arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess
	aws iam list-attached-role-policies --role-name test-role

	# from test-user session (log in with test-user CLI creds)
	aws configure
	aws sts get-caller-identity
	# following will work
	aws ec2 describe-instances --query "Reservations[].Instances[].[VpcId,InstanceId,ImageId,InstanceType]"
	# following will fail
	aws rds describe-db-instances --query "DBInstances[*].[DBInstanceIdentifier,DBName,DBInstanceStatus,AvailabilityZone,DBInstanceClass]"

	# from admin session
	aws sts assume-role --role-arn arn:aws:iam::${ACCOUNT_ID}:role/test-role --role-session-name test-session
	aws iam list-roles --query "Roles[?RoleName == 'test-role'].[RoleName,Arn]"
	# exported env vars override config
	export AWS_ACCESS_KEY_ID="<ASSUMED_ACCESS_KEY_ID>"
	export AWS_SECRET_ACCESS_KEY="<ASSUMED_SECRET_ACCESS_KEY>"
	export AWS_SESSION_TOKEN="<AWS_SESSION_TOKEN>"
	aws sts get-caller-identity
	# following will now FAIL
	aws ec2 describe-instances --query "Reservations[].Instances[].[VpcId,InstanceId,ImageId,InstanceType]"
	# following will now WORK
	aws rds describe-db-instances --query "DBInstances[*].[DBInstanceIdentifier,DBName,DBInstanceStatus,AvailabilityZone,DBInstanceClass]"

	unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
	aws sts get-caller-identity

	cat << EOF >> ~/.aws/config

	[profile test-role-profile]
	role_arn = arn.aws.iam::${ACCOUNT_ID}:role/test-role
	source_profile = default
	region = us-east-1
	EOF
	aws sts get-caller-identity --profile test-role-profile # <--- last line didn't work for me!