Acquire temporary AWS credentials for an IAM role using the STS AssumeRole operation.

assume-role.json

{
  "root": {
    "access_key_id": "acceaccess_key_idss",
    "secret_access_key": "secret_access_key"
  },
  "roles": {
    "SomeRole": {
      "arn": "arn:aws:iam::ACCOUNT_ID:role/SomeRole",
      "external_id": "external_id"
    },
    "AnotherRole": {
      "arn": "arn:aws:iam::ACCOUNT_ID:role/AnotherRole",
      "external_id": "external_id"
    }
  }
}

assume-role.sh

#!/usr/bin/env bash

set -o errexit   # Exit on most errors (see the manual)
set -o errtrace  # Make sure any error trap is inherited
set -o nounset   # Disallow expansion of unset variables
set -o pipefail  # Use last non-zero exit code in a pipeline

usage() {
  cat <<-EOM
Acquire temporary AWS credentials for an IAM role using the STS AssumeRole operation.

Usage: $(highlight "./$(basename "${BASH_SOURCE[0]}") role-alias [-f|--roles-file /path/to/assume-role.json] [-d|--debug]")

EOM
}

highlight() { echo -e "\033[36m$*\033[0m"; }
fail() { echo -e "\033[31mERROR: $*\033[0m" >&2; exit 1; }
debug() { [[ "${DEBUG}" == "false" ]] || echo -e "\033[90mDEBUG: $*\033[0m"; }
commandExists() { command -v "$1" >/dev/null 2>&1; }

assumeRole() {
  debug "Resetting any credentials already present in the environment"
  export AWS_ACCESS_KEY_ID=""
  export AWS_SECRET_ACCESS_KEY=""
  export AWS_SESSION_TOKEN=""

  debug "Reading role info from file ${ROLES_FILE}"
  local roleAlias="$1"

  local roleArn
  roleArn=`jq -r ".[\"roles\"][\"${roleAlias}\"][\"arn\"]" "${ROLES_FILE}"`
  debug "roleArn = ${roleArn}"

  local roleExternalId
  roleExternalId=`jq -r ".[\"roles\"][\"${roleAlias}\"][\"external_id\"]" "${ROLES_FILE}"`
  debug "roleExternalId = ${roleExternalId}"

  local rootAccessKeyId
  rootAccessKeyId=`jq -r ".[\"root\"][\"access_key_id\"]" "${ROLES_FILE}"`
  debug "rootAccessKeyId = ${rootAccessKeyId}"

  local rootSecretAccessKey
  rootSecretAccessKey=`jq -r ".[\"root\"][\"secret_access_key\"]" "${ROLES_FILE}"`
  debug "rootSecretAccessKey = ${rootSecretAccessKey}"

  local credentials
  credentials=$(
    AWS_ACCESS_KEY_ID=${rootAccessKeyId} \
    AWS_SECRET_ACCESS_KEY=${rootSecretAccessKey} \
    aws sts assume-role \
      --role-arn ${roleArn} \
      --external-id ${roleExternalId} \
      --role-session-name assume-role-${roleAlias}
  )

  echo export AWS_ACCESS_KEY_ID=$(echo "${credentials}" | jq -r '.Credentials.AccessKeyId')
  echo export AWS_SECRET_ACCESS_KEY=$(echo "${credentials}" | jq -r '.Credentials.SecretAccessKey')
  echo export AWS_SESSION_TOKEN=$(echo "${credentials}" | jq -r '.Credentials.SessionToken')
}

main() {
  export DEBUG=false
  export ROLES_FILE=~/.assume-role.json

  local roleAlias=""

  while [[ $# -gt 0 ]]
  do
    case $1 in
      -f | --roles-file) shift; export ROLES_FILE="$1" ;;
      -d | --debug)      export DEBUG=true ;;
      -h | --help)       usage; exit 0 ;;
      --* | -?)          usage; fail "Unknown option \"$1\"" ;;
      *)                 roleAlias="$1" ;;
    esac
    shift
  done

  commandExists aws || fail "Dependency \"aws\" missing."
  commandExists jq || fail "Dependency \"jq\" missing."

  # TODO: validate role alias

  assumeRole "${roleAlias}"
}

main "$@"