Created
November 27, 2019 00:27
-
-
Save amcginlay/ab5e62374cb454ef0f1ac387be3df3cb to your computer and use it in GitHub Desktop.
How do I assume an IAM role using the AWS CLI?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
How to assume an IAM role using the AWS CLI | |
=========================================== | |
# from admin session | |
# TODO fix this to eliminate ACCOUNT_ID env var | |
ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) | |
aws iam create-user --user-name test-user | |
cat << EOF > test-policy.json | |
{ | |
"Version": "2012-10-17", | |
"Statement": { | |
"Effect": "Allow", | |
"Action": [ | |
"ec2:Describe*", | |
"iam:ListRole", | |
"sts:AssumeRole" | |
], | |
"Resource": "*" | |
} | |
} | |
EOF | |
aws iam create-policy --policy-name test-policy --policy-document file://test-policy.json | |
aws iam attach-user-policy --user-name test-user --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/test-policy | |
aws iam list-attached-user-policies --user-name test-user | |
aws iam create-access-key --user-name test-user | |
"AccessKeyId": "whatever" | |
"SecretAccessKey": "whatever", | |
cat << EOF > test-role-trust-policy.json | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { "AWS": "arn:aws:iam::${ACCOUNT_ID}:root" }, | |
"Action": "sts:AssumeRole" | |
} | |
] | |
} | |
EOF | |
aws iam create-role --role-name test-role --assume-role-policy-document file://test-role-trust-policy.json | |
aws iam attach-role-policy --role-name test-role --policy-arn arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess | |
aws iam list-attached-role-policies --role-name test-role | |
# from test-user session (log in with test-user CLI creds) | |
aws configure | |
aws sts get-caller-identity | |
# following will work | |
aws ec2 describe-instances --query "Reservations[*].Instances[*].[VpcId,InstanceId,ImageId,InstanceType]" | |
# following will fail | |
aws rds describe-db-instances --query "DBInstances[*].[DBInstanceIdentifier,DBName,DBInstanceStatus,AvailabilityZone,DBInstanceClass]" | |
# from admin session | |
aws sts assume-role --role-arn arn:aws:iam::${ACCOUNT_ID}:role/test-role --role-session-name test-session | |
aws iam list-roles --query "Roles[?RoleName == 'test-role'].[RoleName,Arn]" | |
# exported env vars override config | |
export AWS_ACCESS_KEY_ID="<ASSUMED_ACCESS_KEY_ID>" | |
export AWS_SECRET_ACCESS_KEY="<ASSUMED_SECRET_ACCESS_KEY>" | |
export AWS_SESSION_TOKEN="<AWS_SESSION_TOKEN>" | |
aws sts get-caller-identity | |
# following will now FAIL | |
aws ec2 describe-instances --query "Reservations[*].Instances[*].[VpcId,InstanceId,ImageId,InstanceType]" | |
# following will now WORK | |
aws rds describe-db-instances --query "DBInstances[*].[DBInstanceIdentifier,DBName,DBInstanceStatus,AvailabilityZone,DBInstanceClass]" | |
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN | |
aws sts get-caller-identity | |
cat << EOF >> ~/.aws/config | |
[profile test-role-profile] | |
role_arn = arn.aws.iam::${ACCOUNT_ID}:role/test-role | |
source_profile = default | |
region = us-east-1 | |
EOF | |
aws sts get-caller-identity --profile test-role-profile # <--- last line didn't work for me! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment