Allow using AWS_ROLE_ARN to assume role without web identity
See original GitHub issueIs your feature request related to a problem? Please describe.
I recently discovered that boto has the feature of assuming a role using a web identity if AWS_ROLE_ARN
and AWS_WEB_IDENTITY_TOKEN_FILE
are provided.
But it is not possible to assume a role (AssumeRole
operation) using only AWS_ROLE_ARN
.
The only way we have to assume role is to execute the following steps:
aws sts assume-role --role-arn arn:aws:iam::ACCOUNT:role/ROLE_NAME --role-session-name my-role
# Then get the credentials from the output of the command above and export them
I am also open to suggestions on how to make that easier.
Describe the solution you’d like
I would like to be able to assume other roles by providing the AWS_ROLE_ARN
env var.
NOTE: I want to assume a role using AssumeRole
, not AssumeRoleWithWebIdentity
Thanks!
Issue Analytics
- State:
- Created 3 years ago
- Reactions:12
- Comments:5
Top Results From Across the Web
AssumeRoleWithWebIdentity - AWS Security Token Service
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity...
Read more >Assume an AWS Role from a Google Cloud without using IAM ...
As the trusted entity, select Web identity → Google as the Identity provider and paste the GCP service account Unique ID in the...
Read more >Identity and Access Management - EKS Best Practices Guides
Use IAM Roles when multiple users need identical access to the cluster¶. Rather than creating an entry for each individual IAM User in...
Read more >Using IAM Service Account Instead Of Instance Profile For ...
With IAM identity-based policies, you can specify allowed or denied ... plane injects the AWS Role ARN and the path to a web...
Read more >Managing AWS IAM With Terraform: Part 2 - GitGuardian Blog
Let's test the cross-account access with AWS CLI. Note that assume role can also work in the AWS Console. First, with the central...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@vaisakhpisharody The original request is that there is an environment variable that cause a role to be assumed based on other AWS credentials. This would need to be implemented in botocore, and would then work for both the AWS CLI and boto3. Currently, role assumption is possible using
~/.aws/config
, which looks like:where the credentials for
my-source-profile
are in~/.aws/credentials
.Then you can do (for example)
aws sts get-caller-identity --profile my-assume-role-profile
or in pythonboto3.Session(profile_name='my-assume-role-profile').client('sts').get_caller_identity()
.The web identity provider works a similar way. You can have your
~/.aws/config
look like this:However, the web identity provider is implemented in such a way that it also looks for
role_arn
andweb_identity_token_file
in environment variables. The assume role provider doesn’t. Note that there’s several more parameters you can use with AssumeRole than with AssumeRoleWithWebIdentity.As you say, the
aws-assume-role-lib
option, and the code you provided above, only works if you are in control of the code that uses boto3, or if such code takes a boto3 session as input.However, if the code uses the module-level
boto3.client()
orboto3.resource()
function, rather than first creating a session and using that, you can, in your code, create the assumed role session usingaws-assume-role-lib
and setboto3.DEFAULT_SESSION
to that (which is what the module-level client and resource functions use).Hi! Just pinging to see if there is motion on this request- it would make our use of cloudwatch log pushers (from the v1 awscli) much more flexible.