getting credentials returned by AWS STS
I am having an EC2 instance assigned to an instance profile. The instance profile have permission to assume a cross-account role (say, Account B)
aws sts assume-role --role-arn "arn:aws:iam::Account_B_ID:role/admin"
by running this command, it will return a temporary security credentials including the session token. Now it comes to how to make use of the information to inject it into the environment variables so that the CLI will be able to run tasks (ec2-describe-instances) on Account B.
export EC2_URL=https://ec2.ap-southeast-1.amazonaws.com export EC2_HOME=/usr/bin export JAVA_HOME=/usr/lib/jvm/default-java/jre export AWS_ACCESS_KEY= export AWS_SECRET_KEY= export AWS_SESSION_TOKEN= PATH=$PATH:/usr/bin ec2-describe-instances
You can have the CLI do this all under the hood for you if you use config file. For example, if your credentials file (~/.aws/credentials) looks like this (setup via
[assume-role-source-credentials] aws_access_key_id = akid aws_secret_access_key = skid
And your config file (~/.aws/config) looks like this:
[profile assume-role-profile] source_profile = assume-role-source-credentials role_arn = arn:aws:iam::Account_B_ID:role/admin role_session_name = Admin_in_acc_B region = us-west-2
The CLI would then assume the role automatically, caching and refreshing them to reduce the number of calls to assume role. Note that you'll need to change up those profiles to match your exact configuration (particularly the region).
More docs here.
Using Temporary Credentials With AWS Resources, Returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). This guide provides descriptions of the STS API. For more detailed information about using this service, go to
get-session-token, Returns a set of temporary security credentials that you can use to access AWS You must use credentials for an IAM user or an IAM role to call AssumeRole . getting credentials returned by AWS STS. Ask Question For example, if your credentials file (~/.aws/credentials) looks like this (setup via aws configure):
The mentioned solution "assume-role-profile" without hardcoded credentials, setting everything on the fly:
You create the profile with assumed role:
aws configure --profile assume-role-profile set role_arn arn:aws:iam::Account_B_ID:role/admin
To give credentials to the new profile, you must use one of the following lines:
aws configure --profile assume-role-profile set source_profile default
aws configure --profile assume-role-profile set credential_source Ec2InstanceMetadata
aws configure --profile assume-role-profile set credential_source EcsContainer
Line 1 was correct on my personal pc, because I used the default profile.
Line 2 should be correct in your case, using an EC2 Instance with an instance profile (correct wording: the instance has a role)
Line 3 was correct when I tested the code with AWS CodeBuild. The new profile used the credentials of the codepipeline-role.
Afterwards, you may use the new profile, example:
aws --profile assume-role-profile ec2 describe-instances
GetSessionToken, Getting Temporary Credentials. AWS STS has several operations that return temporary credentials, but the GetSessionToken operation is the simplest to Getting Temporary Credentials with AWS STS. You can use AWS Security Token Service to get temporary, limited-privilege credentials that can be used to access AWS services. There are three steps involved in using AWS STS: Activate a region (optional). Retrieve temporary security credentials from AWS STS. Use the credentials to access AWS resources.
AssumeRole - AWS Security Token Service, Returns a set of temporary security credentials for users who have been Security Credentials and Comparing the AWS STS API operations in the IAM User Guide Facebook, or Google, getting temporary security credentials, and then using The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). This guide provides descriptions of the STS API.
Using Temporary Credentials from AWS STS, A typical use is in a proxy application that gets temporary security credentials on The size of the security token that STS API operations return is not fixed. You can use Amazon Cognito to deliver temporary, limited-privilege credentials to your application, so that your users can access AWS resources. This section describes how to get credentials and how to retrieve an Amazon Cognito identity from an identity pool.
AssumeRoleWithWebIdentity, A low-level client representing AWS Security Token Service (STS): Returns a set of temporary security credentials that you can use to access AWS Login with Amazon, Facebook, or Google, getting temporary security credentials, and then AWS Security Token Service(STS) that enables you to request temporary, limited privilege credentials for IAM Users or Federated Users). As we set the user to assume Role, let generate the temporary…