Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assume role source creds from environment #2938

Closed
alexrudd opened this issue Nov 2, 2017 · 6 comments
Closed

Assume role source creds from environment #2938

alexrudd opened this issue Nov 2, 2017 · 6 comments
Labels
feature-request A feature should be added or improved.

Comments

@alexrudd
Copy link

alexrudd commented Nov 2, 2017

Hi,

Currently the only way to assume a role involves specifying at least a role_arn and a source_profile in a credentials file.

If the source_profile variable were made optional and aws-cli fell back to using credentials defined in the environment or in an EC2 instance profile, then this would be a much more flexible feature for situations where persisting credentials to a file isn't possible.

My particular situation is needing to deploy a website to an s3 bucket from jenkins. Jenkins can seed the workspace environment with credentials in environment vars, but aws-cli has no way of using these to assume a role.

This is similar to the feature requests in the following issues:

Thanks
@dstufft
Copy link
Contributor

dstufft commented Nov 2, 2017

Marking this as a feature request, thanks!

@dstufft dstufft added the feature-request A feature should be added or improved. label Nov 2, 2017
@JordonPhillips JordonPhillips mentioned this issue Nov 13, 2017
Merged
@lorengordon
Copy link
Contributor

This actually isn't supported, nor fixed in boto/botocore#1313... When using role_arn, either source_profile or credential_source is required.

the profile:

[profile mock]
role_arn = arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME

❯ aws sts get-caller-identity --profile mock

Partial credentials found in assume-role, missing: source_profile or credential_source

@alexrudd
Copy link
Author

@lorengordon is using the credential_source setting not a possibility in your above example?

[profile mock]
role_arn = arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME
credential_source = Environment

@lorengordon
Copy link
Contributor

@alexrudd Oh yes, of course that works. But I thought you were expecting it to fall through to getting the initial credential from the default credential chain, and then assume the specified role. I suppose in my head I was linking this feature to #2664, as a pre-requisite for being able to pass --role-arn on the cli. Having to pass both --role-arn and --credential-source or --source-profile seems less convenient... If I want to start from a profile on the cli, I would use AWS_PROFILE or --profile along with --role-arn. If that worked on the cli, then the config option could work the same way.

@alexrudd
Copy link
Author

Ah I see what you mean. Yeah it would be nice if it fell back to the default credential chain. Might be worth opening a separate issue as I don't think this will be tracked anymore

@kdaily
Copy link
Member

kdaily commented Sep 20, 2021

@alexrudd - I think this open issue is what you're looking for!

#3875

thoward-godaddy pushed a commit to thoward-godaddy/aws-cli that referenced this issue Feb 12, 2022
@mgrandis
chore: bump version to 1.24.1 (aws#2938)
a3c4bea
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kdaily @dstufft @alexrudd @lorengordon