I am troubleshooting an issue about sending SMS (SNS service) in another region because this service is not available in my region.
So, I need to switch my AWS_DEFAULT_REGION to somewhere else.
I following command work well
bash-5.0# aws sts get-caller-identity
{
"UserId": "AROAUUXXXXXXIYUL4OIJU:botocore-session-1642736552",
"Account": "318462213682",
"Arn": "arn:aws:sts::311234567890:assumed-role/eksctl-tst-backend-eks-addon-iamserviceaccou-Role1-K6RXXXXX51XX/botocore-session-1642736552"
}
But after I switch to another region it does not work anymore
bash-5.0# export AWS_DEFAULT_REGION=ap-southeast-1
bash-5.0# aws sts get-caller-identity
Connection was closed before we received a valid response from endpoint URL: "https://sts.amazonaws.com/".
Did I miss something?
Related
I am using an assumed role, all environment variables has been set (AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN, AWS_SECRET_ACCESS_KEY, and AWS_ACCESS_KEY_ID)
When I call aws sts get-caller-identity on my default region (ap-southeast-1) it doesn't have a problem
$ awsudo -u somerolename aws sts get-caller-identity --region ap-southeast-1
{
"UserId": "XXXXXYYYYYZZZZZZ:botocore-session-1234567",
"Account": "111122223333",
"Arn": "arn:aws:sts::111122223333:assumed-role/somerolename/botocore-session-2222333344"
}
But when I change it to the region that I am trying to work on (ap-southeast-3), an error happens
$ awsudo -u somerolename aws sts get-caller-identity --region ap-southeast-3
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid
How do I resolve this?, I have tried other regions as well, but it seems only ap-southeast-1 works
I think you are facing this issue, because ap-southeast-3 region is not enabled for your account. You can check if it is enabled by running the following command:
aws ec2 describe-regions --region-names ap-southeast-3
If your region is not enabled, you will get the following response:
{
"Regions": [
{
"Endpoint": "ec2.ap-southeast-3.amazonaws.com",
"RegionName": "ap-southeast-3",
"OptInStatus": "not-opted-in"
}
]
}
In order to enable it, you just have to follow the instructions from the AWS docs:
To enable a Region
Sign in to the AWS Management Console.
In the upper right corner of the console, choose your account name or number and then choose My Account.
In the AWS Regions section, next to the name of the Region that you want to enable, choose Enable.
In the dialog box, review the informational text and choose Enable Region.
Wait until the Region is ready to use.
Please note, enabling a region may take some time. As far as I've experienced, this time is fairly short. You should get an email as soon as the region is enabled.
Ok, so apparently I had to make Global endpoints to be valid in all regions for STS
More on that is discussed in this docs here in the "Managing global endpoint session tokens" section
I am trying to access an s3 bucket in account A from account B.
I followed this guide Cross-account IAM roles option. Then, to assume the role I use this aws cli command in my code:
aws sts assume-role --role-arn "arn:aws:iam::*********:role/cross-account-s3-access" --role-session-name AWSCLI-Session
I can see that the role was assumed:
{
"Credentials": {
"AccessKeyId": "********",
"SecretAccessKey": "********",
"SessionToken": "********",
"Expiration": "2021-07-29T08:46:33Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "********:AWSCLI-Session",
"Arn": "arn:aws:sts::********:assumed-role/cross-account-s3-access/AWSCLI-Session"
}
}
Then, to check if the cross-account access worked, I perform the following command which return access denied:
+ aws s3 ls s3://digibank-endofday-files-stg
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
My question is what is the --role-session-name flag? I probably put a wrong value but I couldn't find a proper explanation about it. Where do I find value of it??
The flow is:
Using permanent credentials (eg from your IAM User), call AssumeRole() and provide the ARN of the desired role
If you have permission to call AssumeRole on this role, AWS STS will return a set of temporary credentials
You will then need to use those credentials in subsequent calls to AWS services
So, future calls will not be made from your IAM User (since it does not have permission to access S3). Instead, the call will need to be made with the new credentials.
If you were using a programming language, you would use these credentials to make a new Session object and then use it to make API calls.
However, given that you are using the AWS CLI, the easiest method to assume the call is to add a configuration in your ~/.aws/config file similar to this:
[profile prodaccess]
role_arn = arn:aws:iam::123456789012:role/ProductionAccessRole
source_profile = default
This configuration is saying: "Use my credentials from the default profile to assume this IAM Role".
You can use it like this:
aws s3 ls s3://digibank-endofday-files-stg --profile prodaccess
For details, see: Switching to an IAM role (AWS CLI) - AWS Identity and Access Management
The AWS CLI will automatically call AssumeRole(), then make the requested call using the temporary credentials that were returned.
Inside an Amazon EC2 instance with an IAM role:
$ aws sts get-caller-identity
{
"Account": "999999999999",
"UserId": "AROA4AD2EEIE4XYIBOEYP:i-abcdefg12345678",
"Arn": "arn:aws:sts::999999999999:assumed-role/my-instance-iam-role/i-abcdefg12345678"
}
The IAM role session name is the instance ID.
Is there a way to update this session name on the fly?
For example temporarily change the assumed role session name
arn:aws:sts::999999999999:assumed-role/my-instance-iam-role/i-abcdefg12345678/specialSession
Or even
arn:aws:sts::999999999999:assumed-role/my-instance-iam-role/specialSession
(no instance id)
For Amazon EC2 instance profiles, AWS sets the role session on your behalf and sets the role session name to the instance profile ID. If you want to change the role, you may consider assuming the role again and setting a new name for the role session
:
$ aws sts assume-role --role-arn arn:aws:iam::999999999999:role/my-instance-iam-role --role-session-name newname
The command returns the required info for you the assume the role. Next, create three environment variables to assume the IAM role (please replace the value with the values from the previous command):
export AWS_ACCESS_KEY_ID=RoleAccessKeyID
export AWS_SECRET_ACCESS_KEY=RoleSecretKey
export AWS_SESSION_TOKEN=RoleSessionToken
You could run get-caller-identity again:
$ aws sts get-caller-identity
{
"UserId": "AROARXXXXX:newname",
"Account": "999999999999",
"Arn": "arn:aws:sts::999999999999:assumed-role/my-instance-iam-role/newname"
}
AWS documentation provides multiple approach, here.
In our environment, we have multiple AWS accounts.
Usage scenario is to switch between AWS accounts and run AWS cli commands from laptop, as part of automation.
Before running AWS cli command on a specific AWS account, we need to get temporary credentials for that account, given account id.
Getting access to(by switching over) multiple AWS accounts, helps us in automation.
Basically we would like to run some tool like ./some_aws_sdk_tool.py role_name aws_account_name, assuming a role_name to get credentials.
I want to test this with my single AWS account(personal).
1) What are the steps to configure my AWS account to create such role_name?
2)
What is the approach to get temporary credentials to a specific aws_account_name with some_aws_sdk_tool.py? to be able run AWS CLI commands for n minutes..
Do you want to do this from within your code or using the AWS CLI?
If you're using the CLI, the easiest way is to create profiles in your AWS credentials file, as described here. Each profile identifies a role ARN and the source login information that is allowed to assume that role.
Alternatively, you can run the sts assume-role command, parse the results, and set environment variables:
aws sts assume-role --role-arn 'arn:aws:iam::123456789012:role/Example' --role-session-name 'some_unique_but_relevant_string'
{
"Credentials": {
"AccessKeyId": "ASIAXXXXXXXXXXXXXXXX",
"SecretAccessKey": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"SessionToken": "XXXXXXXXXXXXXXX//////////XXX...XXXXX",
"Expiration": "2020-03-05T20:57:45Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROAXXXXXXXXXXXXXXXXX:some_unique_but_relevant_string",
"Arn": "arn:aws:sts::123456789012:assumed-role/Example/some_unique_but_relevant_string"
}
}
If you want to do it from within your program, you can use code like this:
sts_client = boto3.client('sts')
role_arn = "..."
session_name = "some_unique_but_relevant_value"
response = sts_client.assume_role(
RoleArn=role_arn,
RoleSessionName=session_name
)
creds = response['Credentials']
actual_client = boto3.client('SERVICE',
aws_access_key_id=creds['AccessKeyId']
aws_secret_access_key=creds['SecretAccessKey']
aws_session_token=creds['SessionToken'])
That is not possible. You can only see a secret key on the first time it gets created, AWS will never show it to you again. See more here.
Some Identity Managers like Okta allow you to assume roles on CLI so you don't have to deal with credentials directly. You just assign a role to an user and he will be able to assume the role directly after the first login.
When using STS to assume a role, in the AWS SDKs (Java, for example), we have shaved valuable seconds off the operation by selecting the 'local' STS endpoint for the region our code is executing in (e.g. https://sts.eu-west-2.amazonaws.com).
Is it possible to do the same from the CLI (aws sts assume-role ...? There doesn't seem to be an option to override the default endpoint in the documentation.
Take a look at: Activating and Deactivating AWS STS in an AWS Region and enable the region endpoint you want to connect to.
--region (string)
is common for all AWS CLI commands. Once you enable additional endpoints, you can use --region (string) to override the default endpoint.