I provision an ec2 instance with a specific role. I want to the change the assumed role later form the ec2 cli to gain crross-account access, do something, and then switch back to my original role. How can I achieve this?
I'd use the ~/.aws/config file with the additional profile added.
Assuming that RoleA is your Instance Profile Role,
RoleB is the RoleB is the role you want to assume
RoleA has sts:assumerole
Update your ~/.aws/config to look like the following
[profile roleb]
role_arn = arn:aws:iam::123412341234:role/RoleB
region=us-east-1
credential_source = Ec2InstanceMetadata
So when you want to run the role from the assumed role b you would
aws s3 --profile roleb ls
For more info
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html
You would not switch to another role. Rather, you would request temporary credentials associated with another role, then use those new credentials to make API calls.
The steps would be:
Call aws sts assume-role --role-arn arn:aws:iam::nnn:role/your-role --role-session-name foo
Grab the temporary credentials that are returned. I would recommend storing them in the ~/.aws/credentials file by using aws configure --profile role2
Then make API call with that role, such as: aws s3 ls --profile role2
To use the original credentials, just leave off the --profile.
Related
I am trying to programmatically generate temporary credentials for an assumed role (cross-account) based off of MFA credentials. My ultimate goal is that I only want to have to enter in my MFA token code a single time, and then assume multiple different roles without needing to re-enter my MFA token code (until the MFA session expires).
I am able to obtain temporary MFA credentials no problem:
aws sts get-session-token --serial-number arn:aws-us-gov:iam::<serialnumber>:mfa/<user> --token-code <token code>
I then take the resulting session credentials/token and store it in ~/.aws/credentials
I then want to obtain temporary credentials for an assume role, like the AWS documentation seems to imply is OK:
You cannot call any AWS STS API except AssumeRole or GetCallerIdentity.
However, when I attempt to do so, I get an InvalidClientTokenId error with the following command:
aws sts assume-role --profile default-mfa --role-arn arn:aws-us-gov:iam::<account id>:role/Sandbox_Role --role-session-name clie-access-example --duration 900
I do not have any environment variables set up for AWS credentials (i.e. no AWS_SESSION_TOKEN or AWS_SECRET_ACCESS_KEY environment variables). Also note that I am requesting a token that expires in less than an hour (since as far as I am aware, you cannot request tokens that live longer than an hour with temporary credentials)
Note that if I assume a role implicitly using a profile, everything is fine:
aws sts get-caller-identity --profile role-profile
of for a command that requires actual permissions:
aws dynamodb list-tables --profile role-profile
where my ~/.aws/config file looks like:
[default]
region = us-gov-west-1
output = json
[default-mfa]
region = us-gov-west-1
output = json
[role-profile]
source_profile = default-mfa
region = us-gov-west-1
My AWS user itself does not have any permissions and must assume a role to be able to do anything.
Eventually I will also want to retrieve the assumed role credentials via Postman and store them in my Postman environment so that I can easily switch roles in postman simply by switching environments without needing to copy MFA credentials by hand more than once before the MFA session expires.
Goal: Retrieve secret from secretsmanager on an aws ec2 instance programmatically through command line.
I have created an IAM role with policies that grant full-access to AWSSecretsManager and AWSEC2instance also to assume the role and modify the role of any aws ec2 instance.
I created an aws instance and attached the IAM role to it and executed the following steps:
- aws secretsmanager list-secrets
An error occurred (UnrecognizedClientException) when calling the ListSecrets operation: The security token included in the request is invalid.
I get an error. I am able to retrieve the security credentials using the metadata of the instance.
- Am I missing something here? I basically want to retrieve the secret in an aws instance in a secure way.
- When I try to run the above command to list-secrets. The cli complains that it needs an region. My ec2-instance and secrets all are in us-east-2. So, I use the same region. And it still does not work.
Any suggestions/pointers would be highly appreciated. Thanks!
Here is How I would troubleshoot.
check whether the instance is aware of the IAM role attached to that.
aws sts get-caller-identity
try passing the region to the command
aws secretsmanager list-secrets --region us-east-2
I would check whether the AWS_REGION or AWS_DEFAULT_REGION, but even if these values are set, passing --region should override it.
Hope this help you get somewhere.
Have you run "aws configure" on the instance? Sounds like it might be using the token in there rather that the EC2 instance role. See references below for the sequence it checks but basically, the EC2 role is the last place it looks, if it gets credentials earlier, it will use them.
See here for the priority/sequence: https://docs.aws.amazon.com/amazonswf/latest/awsrbflowguide/set-up-creds.html
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html ("Using the Default Credential Provider Chain")
I am trying to access a Cognito user pool from a different AWS account using the CLI. I can do this just fine from API Gateway where the user pool is setup as an authorizer, but from the CLI it just says this user pool does not exist. Is there a way to tell the CLI to look for the user pool in a different account than the one I am in? I can do this if I switch roles, however I would prefer to avoid that.
Instead of switching roles, you can specify a profile (https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html).
For example, in ~/.aws/config you might have:
[profile another]
role_arn = arn:aws:iam::account:role/OrganizationAccountAccessRole
source_profile = default
(n.b. your role_arn should be whatever your cross-account role arn actually is)
Then you can use the --profile argument in the cli to adopt another role without affecting further commands &c.
For example:
aws cognito-idp initiate-auth --client-id=$CLIENT_ID --auth-flow='USER_PASSWORD_AUTH' --profile=another --region=eu-west-2 --auth-parameters USERNAME='me#example.com',PASSWORD='password'
I want a aws master account, where i can manage other aws accounts/iam users. Is this achievable? I tried with AWS Organizations, but it does not applies for IAM users(Only account level). Please help
You could create a custom role in any account that you have, and the use aws-api to assume this role with an script.
For example, you create the role custom_role in everyaccount that you own.
Then you use aws sdk or cli to assume role
Configure role in credentials profile
[profile custom_role]
role_arn = arn:aws:iam::123456789012:role/custom_role
source_profile = default
Use aws api to create user in the other account
aws iam create-user --user-name user_test --profile custom_role
You could do the same thing through aws sdk (like boto3 in python). If you want to manage all accounts, you could develop some script that automate that work.
I have an ec2 instance configured with an IAM Role to read S3 in its own account. I configured a cross account role in another AWS account that has rights to create S3 buckets. I then gave the role that the ec2 instance is assigned access to the use the cross account role.
When I try to create the s3 bucket, it tries to create it in it's own account. How do I tell the aws cli to create the bucket in the other account?
Refer cross account python script https://blogs.aws.amazon.com/security/post/Tx70F69I9G8TYG/How-to-enable-cross-account-access-to-the-AWS-Management-Console
When you run it you will automatically redirect to cross account AWS Console...and if you don't want to run python script..login through switch role option.
Through cli you must have to run sts command...for example aws sts assume-role --role-arn crossSccountRoleARN --role-session-name "DemoRoleSession" > /tmp/assume-role-output.txt