Description

I believe Boto should support programatic configuration of an “assume role credentials provider.” In other words, it should support support a syntax similar to:

boto3.client('s3', config=Config(
    role_arn='arn:aws:iam::123456789012:role/S3Access',
    role_session_name='xxx'
))

With this configuration in place, the client would:

1. Make requests using credentials obtained via sts -> AssumeRole
2. Transparently refresh the credentials when they expire

Rationale

I believe this should be supported because it’s already implemented in all other major AWS SDKs. Of the SDKs listed at https://aws.amazon.com/tools/, I’m seeing 6 that can do this and 2 that can’t (Python & PHP).

I want to stress that I’m not requesting this feature because it would be a good addition (although I do 😄 ), but rather, because I see it as a gap in Boto compared to all other SDKs. I think it’s reasonable to assume most developers with a background in other language SDKs would expect this to be supported.

Also worth noting: Boto does support this under the hood, as shown here, however it’s not programmatically configurable like with other SDKs (as far as I can tell).

Examples in other languages

I tried to link to official AWS documentation where possible. For the ones I couldn’t find, I paraphrased examples provided by the wonderful people of GitHub.

Go

// Create the credentials from AssumeRoleProvider to assume the role
// referenced by the "myRoleARN" ARN.
stsSvc := sts.NewFromConfig(cfg)
creds := stscreds.NewAssumeRoleProvider(stsSvc, "myRoleArn")

cfg.Credentials = aws.NewCredentialsCache(creds)

// Create service client value configured for credentials
// from assumed role.
svc := s3.NewFromConfig(cfg)

Java

Region region = Region.of(awsRegion);
StsClient stsClient = StsClient.builder().region(region).build();
AssumeRoleRequest assumeRoleRequest = AssumeRoleRequest.builder()
    .roleArn(roleArn)
    .roleSessionName(roleSessionName)
    .build(); 
StsAssumeRoleCredentialsProvider stsARCP = StsAssumeRoleCredentialsProvider.builder()
    .stsClient(stsClient)
    .refreshRequest(assumeRoleRequest)
    .asyncCredentialUpdateEnabled(true)
    .build();
KinesisAsyncClient kinesisClient = KinesisClientUtil
    .createKinesisAsyncClient(KinesisAsyncClient.builder()
    .credentialsProvider(stsARCP)
    .region(region));

JavaScript

AWS.config.credentials = new AWS.ChainableTemporaryCredentials({
  params: {
    RoleArn: 'arn:aws:iam::1234567890:role/TemporaryCredentials'
  }
});

Ruby

role_credentials = Aws::AssumeRoleCredentials.new(
  client: Aws::STS::Client.new,
  role_arn: "linked::account::arn",
  role_session_name: "session-name"
)

s3 = Aws::S3::Client.new(credentials: role_credentials)

.NET

AWSCredentials sourceCredentials = FallbackCredentialsFactory
    .GetCredentials( fallbackToAnonymous: false );

AWSCredentials credentials credentials = new AssumeRoleAWSCredentials(
    sourceCredentials,
    roleArn: config.RoleArn,
    roleSessionName: $"dotnet-dynamodb-lock"
);

AmazonDynamoDBConfig dbConfig = new AmazonDynamoDBConfig {
    MaxErrorRetry = 10,
    RetryMode = RequestRetryMode.Standard,
    Timeout = TimeSpan.FromSeconds( 10 )
};

IAmazonDynamoDB db = new AmazonDynamoDBClient( credentials, dbConfig );

C++

credentials_provider_ =
    tdb::make_shared<Aws::Auth::STSAssumeRoleCredentialsProvider>(
        HERE(),
        role_arn,
        session_name,
        external_id,
        load_frequency,
        nullptr);

client_ = tdb::make_shared<Aws::S3::S3Client>(
    HERE(),
    credentials_provider_,
    *client_config_,
    Aws::Client::AWSAuthV4Signer::PayloadSigningPolicy::Never,
    use_virtual_addressing_);