I am trying to access a Cognito user pool from a different AWS account using the CLI. I can do this just fine from API Gateway where the user pool is setup as an authorizer, but from the CLI it just says this user pool does not exist. Is there a way to tell the CLI to look for the user pool in a different account than the one I am in? I can do this if I switch roles, however I would prefer to avoid that.
Instead of switching roles, you can specify a profile (https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html).
For example, in ~/.aws/config you might have:
[profile another]
role_arn = arn:aws:iam::account:role/OrganizationAccountAccessRole
source_profile = default
(n.b. your role_arn should be whatever your cross-account role arn actually is)
Then you can use the --profile argument in the cli to adopt another role without affecting further commands &c.
For example:
aws cognito-idp initiate-auth --client-id=$CLIENT_ID --auth-flow='USER_PASSWORD_AUTH' --profile=another --region=eu-west-2 --auth-parameters USERNAME='me#example.com',PASSWORD='password'
Related
I am new to AWS.
Having a list of AWS SSO account aliases and account IDs, I need to iterate through those and check whether they have a specific role assigned to them.
What is the best way to do it? Note that, every account has a specific role associated to it, which I can assume in order to access everything in that account.
For example, given the account ID 999999999999, I guess I could do something like the following:
aws sts assume-role --role-arn "arn:aws:iam::999999999999:role/CommonMemberAccess" --role-session-name "MY-SESSION"
The above will print a JSON object with AccessKeyId, SecretAccessKey and SessionToken.
I could then export the above as env variables, for example,
export AWS_ACCESS_KEY_ID=AccessKeyId
export AWS_SECRET_ACCESS_KEY=SecretAccessKey
export AWS_SESSION_TOKEN=SessionToken
And finally, list the roles within the specific account as follows
aws iam list-roles
Eventually, I will need to do the above by connecting to the AWS API using Go (I am also new to Go). But as a starting point, I would like to know what I can do using the command line aws client.
Is the above a reasonable approach? How would you do this better?
You may try this cli command.
aws iam list-roles —-path-prefix /aws-reserved/sso.
In otherway, you can filter IAM roles associated with SSO by checking their ‘AssumeRolePolicyDocument’.
The ‘Principal’ attribute has to be the ARN of a federated identity provider which has its metadata document issued by AWS SSO
(you can check its SAML metadata XML document with the following cli command),
aws iam get-saml-provider —-saml-provider-arn “arn:of:federated:saml-provider:from:AssumeRolePolicy”
The use case: The database credentials are stored in Parameter Store for an AWS source Account and we need to share such credentials with other AWS Account.
I know the recommendation is to use System Manager, but that is not a valid option for custom reasons.
We won't access Parameter Store from a Lambda inside another AWS Account/VPC. Instead, we need to access such keys from the AWS CLI to fill in the application environment variables at build time - again, it's not ideal. 🤷♂️
In summary, we have an AWS Cross-Account / Same region / IAM user (another account) scenario to access the Parameter Store keys from the source AWS Account.
Thanks in advance for any kind of guidance/direction 👊
I think you could create an IAM Role in the account with parameter store, give that Role permission to access parameter store, and configure it to let the IAM user you created in the other account to assume that Role and do what it needs.
Something like aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name AWSCLI-Session and then aws ssm get-parameter --name "MyStringParameter"
to make it short: its not possible to share parameter store, only secrets from secrets manager
AWS documentation provides multiple approach, here.
In our environment, we have multiple AWS accounts.
Usage scenario is to switch between AWS accounts and run AWS cli commands from laptop, as part of automation.
Before running AWS cli command on a specific AWS account, we need to get temporary credentials for that account, given account id.
Getting access to(by switching over) multiple AWS accounts, helps us in automation.
Basically we would like to run some tool like ./some_aws_sdk_tool.py role_name aws_account_name, assuming a role_name to get credentials.
I want to test this with my single AWS account(personal).
1) What are the steps to configure my AWS account to create such role_name?
2)
What is the approach to get temporary credentials to a specific aws_account_name with some_aws_sdk_tool.py? to be able run AWS CLI commands for n minutes..
Do you want to do this from within your code or using the AWS CLI?
If you're using the CLI, the easiest way is to create profiles in your AWS credentials file, as described here. Each profile identifies a role ARN and the source login information that is allowed to assume that role.
Alternatively, you can run the sts assume-role command, parse the results, and set environment variables:
aws sts assume-role --role-arn 'arn:aws:iam::123456789012:role/Example' --role-session-name 'some_unique_but_relevant_string'
{
"Credentials": {
"AccessKeyId": "ASIAXXXXXXXXXXXXXXXX",
"SecretAccessKey": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"SessionToken": "XXXXXXXXXXXXXXX//////////XXX...XXXXX",
"Expiration": "2020-03-05T20:57:45Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROAXXXXXXXXXXXXXXXXX:some_unique_but_relevant_string",
"Arn": "arn:aws:sts::123456789012:assumed-role/Example/some_unique_but_relevant_string"
}
}
If you want to do it from within your program, you can use code like this:
sts_client = boto3.client('sts')
role_arn = "..."
session_name = "some_unique_but_relevant_value"
response = sts_client.assume_role(
RoleArn=role_arn,
RoleSessionName=session_name
)
creds = response['Credentials']
actual_client = boto3.client('SERVICE',
aws_access_key_id=creds['AccessKeyId']
aws_secret_access_key=creds['SecretAccessKey']
aws_session_token=creds['SessionToken'])
That is not possible. You can only see a secret key on the first time it gets created, AWS will never show it to you again. See more here.
Some Identity Managers like Okta allow you to assume roles on CLI so you don't have to deal with credentials directly. You just assign a role to an user and he will be able to assume the role directly after the first login.
I provision an ec2 instance with a specific role. I want to the change the assumed role later form the ec2 cli to gain crross-account access, do something, and then switch back to my original role. How can I achieve this?
I'd use the ~/.aws/config file with the additional profile added.
Assuming that RoleA is your Instance Profile Role,
RoleB is the RoleB is the role you want to assume
RoleA has sts:assumerole
Update your ~/.aws/config to look like the following
[profile roleb]
role_arn = arn:aws:iam::123412341234:role/RoleB
region=us-east-1
credential_source = Ec2InstanceMetadata
So when you want to run the role from the assumed role b you would
aws s3 --profile roleb ls
For more info
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html
You would not switch to another role. Rather, you would request temporary credentials associated with another role, then use those new credentials to make API calls.
The steps would be:
Call aws sts assume-role --role-arn arn:aws:iam::nnn:role/your-role --role-session-name foo
Grab the temporary credentials that are returned. I would recommend storing them in the ~/.aws/credentials file by using aws configure --profile role2
Then make API call with that role, such as: aws s3 ls --profile role2
To use the original credentials, just leave off the --profile.
I want a aws master account, where i can manage other aws accounts/iam users. Is this achievable? I tried with AWS Organizations, but it does not applies for IAM users(Only account level). Please help
You could create a custom role in any account that you have, and the use aws-api to assume this role with an script.
For example, you create the role custom_role in everyaccount that you own.
Then you use aws sdk or cli to assume role
Configure role in credentials profile
[profile custom_role]
role_arn = arn:aws:iam::123456789012:role/custom_role
source_profile = default
Use aws api to create user in the other account
aws iam create-user --user-name user_test --profile custom_role
You could do the same thing through aws sdk (like boto3 in python). If you want to manage all accounts, you could develop some script that automate that work.