using profile that assume role in aws-sdk (AWS JavaScript SDK)

aws javascript sdk assume role example
loading credentials in node.js from iam roles for ec2
aws temporary credentials node js
aws.config.credentials javascript
loading credentials in node.js from environment variables
nodejs aws sdk auth
could not load credentials from sharedinifilecredentials
aws auth javascript

Using the AWS SDK for JavaScript, I want to use a default profile that assumes the a role. This works perfectly with the AWS CLI. Using node.js with the SDK does not assume the role, but only uses credentials to the AWS account that the access key belongs to. I've found this documentation but it does not deal with assuming a role: http://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-node-credentials-shared.html

Any tips?

This is my config file:

[default]
role_arn = arn:aws:iam::123456789:role/Developer
source_profile = default
output = json
region = us-east-1

The CLI and SDK work differently, in that you must explicitly assume the role when using the SDK. The SDK doesn't automatically assume the role from the config as the CLI does.

After the role is assumed, the AWS.config must be updated with the new credentials.

This works for me:

var AWS = require('aws-sdk');
AWS.config.region = 'us-east-1';

var sts = new AWS.STS();
sts.assumeRole({
  RoleArn: 'arn:aws:iam::123456789:role/Developer',
  RoleSessionName: 'awssdk'
}, function(err, data) {
  if (err) { // an error occurred
    console.log('Cannot assume role');
    console.log(err, err.stack);
  } else { // successful response
    AWS.config.update({
      accessKeyId: data.Credentials.AccessKeyId,
      secretAccessKey: data.Credentials.SecretAccessKey,
      sessionToken: data.Credentials.SessionToken
    });
  }
});

Class: AWS.STS, The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the  The CLI and SDK work differently, in that you must explicitly assume the role when using the SDK. The SDK doesn't automatically assume the role from the config as the CLI does. After the role is assumed, the AWS.config must be updated with the new credentials.

Found the correct way to do it! Check out this PR: https://github.com/aws/aws-sdk-js/pull/1391

Just had to add AWS_SDK_LOAD_CONFIG="true" to the environment variable along with AWS_PROFILE="assume-role-profile"

So it doesn’t require any code update 😅

This is because, the SDK only loads credentials file by default, not the config file, but since AWS role_arn is stored in the config file, we must enable loading the config file as well.

Class: AWS.TemporaryCredentials, assumeRole() operation will be used to fetch credentials for the role instead. To setup temporary credentials, configure a set of master credentials using the  Assume Role with Profile. You can configure the AWS SDK for PHP to use an IAM role by defining a profile for the role in ~/.aws/credentials. Create a new profile with the role_arn for the role you will assume. Also include the source_profile of a profile with credentials that have permissions to assume the IAM role.

Loading Credentials in Node.js from IAM Roles for EC2, If you configure your instance to use IAM roles, the SDK automatically selects the IAM credentials for your application, eliminating the need to manually provide  The problem is that the SDK only allows you to use a basic profile as the source for an assume role profile. This was an oversight in the initial design of the assume role credentials code. We should also allow session profiles. This will be fixed and released as soon as we're able to do it.

Loading Credentials in Node.js from the Shared Credentials File , When the SDK for JavaScript loads, it automatically searches the shared credentials Credentials for EC2 from IAM Roles · Credentials for a Node.js Lambda The following example shows a configuration file with the default profile and two If the AWS_PROFILE variable is not set in your environment, the SDK uses the  Tutorial: Grant Access Using an IAM Role and the AWS SDK for .NET All requests to AWS must be cryptographically signed using credentials issued by AWS. Therefore, you need a strategy for managing credentials for software that runs on Amazon EC2 instances.

Setting Credentials in Node.js, There are several ways in Node.js to supply your credentials to the SDK. Loaded from AWS Identity and Access Management (IAM) roles for Amazon Credentials that are obtained by using a credential process specified in the shared AWS  To assume a role from a different account, your AWS account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate that access to users in the account.

Class: AWS.IAM, Adds the specified IAM role to the specified instance profile. Anyone who uses the AWS CLI, or API to assume the role can specify the  AWS Documentation JavaScript SDK Developer Guide for SDK v2 Loading Credentials in Node.js from IAM Roles for EC2 If you run your Node.js application on an Amazon EC2 instance, you can leverage IAM roles for Amazon EC2 to automatically provide credentials to the instance.

Comments
  • Did you ever find an answer to this?
  • No, and I see the same problem using Python and Boto3 SDK.
  • As far as I'm aware, the node.js client doesn't automatically assume roles. If you want to assume those roles, you have to do it manually.
  • I find this works for me the first time, but when I attempt to refresh the credentials, I get Access Denied. I put this code into a setInterval loop and on the second iteration it fails. Any suggestions?
  • My guess is that calling AWS.config.update isn't the right move in your use-case. The subsequent credentials probably don't have permission to assume the role.
  • This approach doesn't take in consideration the credential expiry. The sdk supports this out of the box. Look at @Kanak Singhal answer.
  • It works for me: with this export, aws JS SDK works like awscli
  • This worked for me as well. + for not requiring any code changes, as I'm using the sdk through a third-party library
  • Should be the accepted answer, works like a charm!