Assume an AWS IAM role from AWS API credentials in environment variables.
I like to use envdir when selecting AWS API keys for CLI usage. Assuming IAM roles is awkward on the CLI as you have to get the temporary role credentials via
aws sts assume-role and manually extract them to an envdir or environment variables prior to running anything. I wrote envassume to give an envdir-like experience when assuming roles. It uses the current credentials to perform the STS request then extracts and replaces the environment variables with the temporary credentials for the child command e.g.
envassume arn:aws:iam::123456789012:role/example aws s3 ls
with an external ID e.g.
envassume -i external_id arn:aws:iam::123456789012:role/example aws s3 ls
The ARN and external ID can be set in the environment variables
AWS_ASSUME_ROLE=arn:aws:iam::123456789012:role/example AWS_ASSUME_ID=external_id envassume aws s3 ls
Please note, if the ARN is set by environment variable, then no other envassume options can be set.
Posted Sun 14 May '17 in AWS