Assume an IAM role using the AWS CLI (amazon.com)
Authenticating to AWS with Environment Variables | by Yevgeniy Brikman | Gruntwork
amazon web services - bash script for AWS assume-role - Stack Overflow
aws sts get-caller-identity
aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name AWSCLI-Session
export AWS_ACCESS_KEY_ID=RoleAccessKeyID
export AWS_SECRET_ACCESS_KEY=RoleSecretKey
export AWS_SESSION_TOKEN=RoleSessionToken
aws sts get-caller-identity
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
aws sts get-caller-identity
-------------------------------------------------------------------------------
Next, you call aws sts assume-role
, passing it the ARN of the IAM Role you want to assume, plus a “role session name” that can be used to tell who is assuming the IAM Role and why (as the same IAM Role may be assumed by may different users):
aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/dev-full-access \
--role-session-name username@company.com
This will return a blob of JSON that contains Temporary Access Keys:
{
"Credentials": {
"SecretAccessKey": "secret-access-key",
"SessionToken": "temporary-session-token",
"Expiration": "expiration-date-time",
"AccessKeyId": "access-key-id"
}
}
You must now set these Temporary Access Keys as environment variables, overriding the old environment variables:
export AWS_ACCESS_KEY_ID=<Access-key-from-output>
export AWS_SECRET_ACCESS_KEY=<Secret-access-key-from-output>
export AWS_SESSION_TOKEN=<Session-Token-from-output>