Last active
July 6, 2024 02:59
-
-
Save ambakshi/ba0fe456bb6da24da7c2 to your computer and use it in GitHub Desktop.
Assume an IAM role. An interesting way of doing IAM roles is to give the instance permissions to assume another role, but no actual permissions by default. I got this idea while setting up security monkey: http://securitymonkey.readthedocs.org/en/latest/quickstart1.html#setup-iam-roles.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Assume the given role, and print out a set of environment variables | |
| # for use with aws cli. | |
| # | |
| # To use: | |
| # | |
| # $ eval $(./iam-assume-role.sh) | |
| # | |
| set -e | |
| # Clear out existing AWS session environment, or the awscli call will fail | |
| unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN | |
| # Old ec2 tools use other env vars | |
| unset AWS_ACCESS_KEY AWS_SECRET_KEY AWS_DELEGATION_TOKEN | |
| ROLE="${1:-SecurityMonkey}" | |
| ACCOUNT="${2:-123456789}" | |
| DURATION="${3:-900}" | |
| NAME="${4:-$LOGNAME@`hostname -s`}" | |
| # KST=access*K*ey, *S*ecretkey, session*T*oken | |
| KST=(`aws sts assume-role --role-arn "arn:aws:iam::$ACCOUNT:role/$ROLE" \ | |
| --role-session-name "$NAME" \ | |
| --duration-seconds $DURATION \ | |
| --query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' \ | |
| --output text`) | |
| echo 'export AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION:-us-east-1}' | |
| echo "export AWS_ACCESS_KEY_ID='${KST[0]}'" | |
| echo "export AWS_ACCESS_KEY='${KST[0]}'" | |
| echo "export AWS_SECRET_ACCESS_KEY='${KST[1]}'" | |
| echo "export AWS_SECRET_KEY='${KST[1]}'" | |
| echo "export AWS_SESSION_TOKEN='${KST[2]}'" # older var seems to work the same way | |
| echo "export AWS_SECURITY_TOKEN='${KST[2]}'" | |
| echo "export AWS_DELEGATION_TOKEN='${KST[2]}'" |
- aws configure --profile new-profile set credential_source EcsContainer
For posterity, it's also worth mentioning that this particular command also works when assuming roles in CodeBuild when running commands from a buildspec.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi!
Another way to achieve the same result:
Write a profile, which automatically assumes the role.
aws configure --profile new-profile set role_arn arn:aws:iam::$ACCOUNT:role/$ROLE
To give credentials to the new profile, you must use one of the following lines:
Line 1) was correct on my personal pc, because I used the default profile.
Line 3) was correct when I tested the code with AWS CodeBuild. The new profile used the credentials of the codepipeline-role.
Afterwards, you may use the new profile, example:
aws --profile new-profile s3 ls s3://bucket-in-target-account
Documentation: https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#using-aws-iam-roles
Regards, maccopper2