About Tools Blog
Angelique Dawnbringer

AWS: Code Snippet Assume User/Role and Role/Role

Assuming roles on AWS instances and your laptop is very easy. All you need is the AWS cli and an internet connection allowing access to the AWS API. The below bash scripts go through various use cases.

The below export values contain every single variant I have encountered over the years including inconsistencies within the AWS API. The only values you should need are: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN. Setting the AWS_DEFAULT_REGION to some value is important to distinguish which API and/or region you are calling.

Assume User using API-keys

# Unsetting/clearing any AWS settings
export AWS_ACCESS_KEY_ID=
export AWS_ACCESS_KEY=
export AWS_SECRET_ACCESS_KEY=
export AWS_SECRET_KEY=
export AWS_SESSION_TOKEN=
export AWS_SECURITY_TOKEN=
export AWS_DELEGATION_TOKEN=

# "logging-in-information"
AWS_DEFAULT_REGION=eu-west-1
AWS_ACCESS_KEY_ID=AKIASOMERANDOMACCESSKEYID
AWS_SECRET_ACCESS_KEY=SOMERANDOM/ACCESS/KEY01234

# Export the values to the system so the AWS cli tools can use them during your session
export AWS_DEFAULT_REGION AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY

Assume Role from user/role

From a logged on user/role/ec2-role with sts:assumerole permissions:

# Setting some variables just to make it "easy"
ROLE="RoleToAssume"
ACCOUNT="012345678910"
DURATION="3600"
NAME="some-role-session-name"
EXTERNALID="14726dda-31ab-436e-836a-eb2608731927"

KST=(`aws sts assume-role --role-arn "arn:aws:iam::$ACCOUNT:role/$ROLE" \
                          --role-session-name "$NAME" \
                          --duration-seconds $DURATION \
                          --external-id $EXTERNALID \
                          --query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' \
                          --output text`)
 
export AWS_ACCESS_KEY_ID=${KST[0]}
export AWS_ACCESS_KEY=${KST[0]}
export AWS_SECRET_ACCESS_KEY=${KST[1]}
export AWS_SECRET_KEY=${KST[1]}
export AWS_SESSION_TOKEN=${KST[2]}
export AWS_SECURITY_TOKEN=${KST[2]}
export AWS_DELEGATION_TOKEN=${KST[2]}

Assume Role from Role

To jump from one role to another, simply execute it in order, but don't forget to unset or overwrite the session_tokens.

# Setting some variables just to make it "easy" 
ROLE="RoleToAssume"
ACCOUNT="012345678910"
DURATION="3600"
NAME="some-role-session-name"
EXTERNALID="4f804771-6cdb-406a-b95e-83b0c2051a49"

# Setting some variables to assume the role with the role
ROLE2="2ndRoleToAssume"
ACCOUNT2="012345678910"
DURATION2="3600"
NAME2="some-other-role-session-name"
EXTERNALID2="6f855c25-9c98-446b-8ca6-adb94c783e8a"

KST=(`aws sts assume-role --role-arn "arn:aws:iam::$ACCOUNT:role/$ROLE" \
                          --role-session-name "$NAME" \
                          --duration-seconds $DURATION \
                          --external-id $EXTERNALID \
                          --query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' \
                          --output text`)

# Set the variables
export AWS_ACCESS_KEY_ID=${KST[0]}
export AWS_ACCESS_KEY=${KST[0]}
export AWS_SECRET_ACCESS_KEY=${KST[1]}
export AWS_SECRET_KEY=${KST[1]}
export AWS_SESSION_TOKEN=${KST[2]}
export AWS_SECURITY_TOKEN=${KST[2]}
export AWS_DELEGATION_TOKEN=${KST[2]}

KST=(`aws sts assume-role --role-arn "arn:aws:iam::$ACCOUNT2:role/$ROLE2" \
                          --role-session-name "$NAME2" \
                          --duration-seconds $DURATION2 \
                          --external-id $EXTERNALID2 \
                          --query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' \
                          --output text`)
 
# Overwrite the current set of variables with the assumed-role by the role
export AWS_ACCESS_KEY_ID=${KST[0]}
export AWS_ACCESS_KEY=${KST[0]}
export AWS_SECRET_ACCESS_KEY=${KST[1]}
export AWS_SECRET_KEY=${KST[1]}
export AWS_SESSION_TOKEN=${KST[2]}
export AWS_SECURITY_TOKEN=${KST[2]}
export AWS_DELEGATION_TOKEN=${KST[2]}

To add MFA for the cli, add --serial-number $ARN-OF-THE-MFA-DEVICE --token-code $TOKEN-FROM-DEVICE to the scripts. You can use ticks to do an in-command-command e.g. nested command so it gets output from your MFA-tool (e.g., oathtool)

Author: Angelique Dawnbringer Published: 2011-12-12 00:00:00 Keywords:
  • Code snippet
  • Bash
  • Assume User
  • Assume Role
Modified: 2022-11-14 20:11:31