Skip to content

Instantly share code, notes, and snippets.

@amcginlay
Created November 27, 2019 00:27
Show Gist options
  • Save amcginlay/ab5e62374cb454ef0f1ac387be3df3cb to your computer and use it in GitHub Desktop.
Save amcginlay/ab5e62374cb454ef0f1ac387be3df3cb to your computer and use it in GitHub Desktop.
How do I assume an IAM role using the AWS CLI?
How to assume an IAM role using the AWS CLI
===========================================
# from admin session
# TODO fix this to eliminate ACCOUNT_ID env var
ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
aws iam create-user --user-name test-user
cat << EOF > test-policy.json
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"iam:ListRole",
"sts:AssumeRole"
],
"Resource": "*"
}
}
EOF
aws iam create-policy --policy-name test-policy --policy-document file://test-policy.json
aws iam attach-user-policy --user-name test-user --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/test-policy
aws iam list-attached-user-policies --user-name test-user
aws iam create-access-key --user-name test-user
"AccessKeyId": "whatever"
"SecretAccessKey": "whatever",
cat << EOF > test-role-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::${ACCOUNT_ID}:root" },
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name test-role --assume-role-policy-document file://test-role-trust-policy.json
aws iam attach-role-policy --role-name test-role --policy-arn arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess
aws iam list-attached-role-policies --role-name test-role
# from test-user session (log in with test-user CLI creds)
aws configure
aws sts get-caller-identity
# following will work
aws ec2 describe-instances --query "Reservations[*].Instances[*].[VpcId,InstanceId,ImageId,InstanceType]"
# following will fail
aws rds describe-db-instances --query "DBInstances[*].[DBInstanceIdentifier,DBName,DBInstanceStatus,AvailabilityZone,DBInstanceClass]"
# from admin session
aws sts assume-role --role-arn arn:aws:iam::${ACCOUNT_ID}:role/test-role --role-session-name test-session
aws iam list-roles --query "Roles[?RoleName == 'test-role'].[RoleName,Arn]"
# exported env vars override config
export AWS_ACCESS_KEY_ID="<ASSUMED_ACCESS_KEY_ID>"
export AWS_SECRET_ACCESS_KEY="<ASSUMED_SECRET_ACCESS_KEY>"
export AWS_SESSION_TOKEN="<AWS_SESSION_TOKEN>"
aws sts get-caller-identity
# following will now FAIL
aws ec2 describe-instances --query "Reservations[*].Instances[*].[VpcId,InstanceId,ImageId,InstanceType]"
# following will now WORK
aws rds describe-db-instances --query "DBInstances[*].[DBInstanceIdentifier,DBName,DBInstanceStatus,AvailabilityZone,DBInstanceClass]"
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
aws sts get-caller-identity
cat << EOF >> ~/.aws/config
[profile test-role-profile]
role_arn = arn.aws.iam::${ACCOUNT_ID}:role/test-role
source_profile = default
region = us-east-1
EOF
aws sts get-caller-identity --profile test-role-profile # <--- last line didn't work for me!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment