Allow using AWS_ROLE_ARN to assume role without web identity

@vaisakhpisharody The original request is that there is an environment variable that cause a role to be assumed based on other AWS credentials. This would need to be implemented in botocore, and would then work for both the AWS CLI and boto3. Currently, role assumption is possible using ~/.aws/config, which looks like:

[profile my-source-profile]
region = us-east-2

[profile my-assume-role-profile]
role_arn = arn:aws:iam::ACCOUNT:role/ROLE_NAME
source_profile = my-source-profile
region = us-east-2

where the credentials for my-source-profile are in ~/.aws/credentials.

Then you can do (for example) aws sts get-caller-identity --profile my-assume-role-profile or in python boto3.Session(profile_name='my-assume-role-profile').client('sts').get_caller_identity().

The web identity provider works a similar way. You can have your ~/.aws/config look like this:

[profile my-web-identity-profile]
role_arn = arn:aws:iam::ACCOUNT:role/ROLE_NAME
web_identity_token_file = /path/to/file

However, the web identity provider is implemented in such a way that it also looks for role_arn and web_identity_token_file in environment variables. The assume role provider doesn’t. Note that there’s several more parameters you can use with AssumeRole than with AssumeRoleWithWebIdentity.

As you say, the aws-assume-role-lib option, and the code you provided above, only works if you are in control of the code that uses boto3, or if such code takes a boto3 session as input.

However, if the code uses the module-level boto3.client() or boto3.resource() function, rather than first creating a session and using that, you can, in your code, create the assumed role session using aws-assume-role-lib and set boto3.DEFAULT_SESSION to that (which is what the module-level client and resource functions use).

Hi! Just pinging to see if there is motion on this request- it would make our use of cloudwatch log pushers (from the v1 awscli) much more flexible.