Wednesday, June 22, 2022

AWS ASSUMEROLE

 Assume an IAM role using the AWS CLI (amazon.com)

Authenticating to AWS with Environment Variables | by Yevgeniy Brikman | Gruntwork

amazon web services - bash script for AWS assume-role - Stack Overflow


aws sts get-caller-identity

aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name AWSCLI-Session

export AWS_ACCESS_KEY_ID=RoleAccessKeyID export AWS_SECRET_ACCESS_KEY=RoleSecretKey export AWS_SESSION_TOKEN=RoleSessionToken

aws sts get-caller-identity

unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN aws sts get-caller-identity

-------------------------------------------------------------------------------

Next, you call aws sts assume-role, passing it the ARN of the IAM Role you want to assume, plus a “role session name” that can be used to tell who is assuming the IAM Role and why (as the same IAM Role may be assumed by may different users):

aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/dev-full-access \
--role-session-name username@company.com

This will return a blob of JSON that contains Temporary Access Keys:

{
"Credentials": {
"SecretAccessKey": "secret-access-key",
"SessionToken": "temporary-session-token",
"Expiration": "expiration-date-time",
"AccessKeyId": "access-key-id"
}
}

You must now set these Temporary Access Keys as environment variables, overriding the old environment variables:

export AWS_ACCESS_KEY_ID=<Access-key-from-output>
export AWS_SECRET_ACCESS_KEY=<Secret-access-key-from-output>
export AWS_SESSION_TOKEN=<Session-Token-from-output>

No comments:

Post a Comment

Azure - Pipeline - Add Approver for Stage

https://learn.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass