New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow using AWS_ROLE_ARN to assume role without web identity #2360
Comments
This would be a helpful feature for everyone who has their custom wrappers create the assume role. If boto3, could get the credentials on its own, a lot of code duplication would go away. I have setup something for this for my need, which was something like import boto3
def get_aws_sts_assume_role_credentials():
sts_client = boto3.client("sts")
aws_assume_role_arn = os.environ.get("AWS_ASSUME_ROLE_ARN")
credentials = sts_client.assume_role(
RoleArn="aws_assume_role_arn", RoleSessionName="mlflow_user", DurationSeconds=3600)
return credentials["Credentials"] And in my code where I create the s3 Client import boto3
credentials = get_aws_sts_assume_role_credentials()
my_s3_client = boto3.client(
"s3",
aws_access_key_id=credentials["AccessKeyId"],
aws_secret_access_key=credentials["SecretAccessKey"],
aws_session_token=credentials["SessionToken"]
# add other params if needed
) I would be happy to raise a PR and merge this code if this solution works. Please let me know in case I missed something. Thanks, |
@vaisakhpisharody This request would require a new For programmatic role assumption, I opened PR boto/botocore#2096 months ago to add the necessary |
Hi @benkehoe This looks like something cool that could be merged, but I still don't understand how this change would refresh credentials on its own? Also, we would have to write patching Please let me know in case I missed something. Thanks, |
@vaisakhpisharody The original request is that there is an environment variable that cause a role to be assumed based on other AWS credentials. This would need to be implemented in botocore, and would then work for both the AWS CLI and boto3. Currently, role assumption is possible using [profile my-source-profile]
region = us-east-2
[profile my-assume-role-profile]
role_arn = arn:aws:iam::ACCOUNT:role/ROLE_NAME
source_profile = my-source-profile
region = us-east-2 where the credentials for Then you can do (for example) The web identity provider works a similar way. You can have your [profile my-web-identity-profile]
role_arn = arn:aws:iam::ACCOUNT:role/ROLE_NAME
web_identity_token_file = /path/to/file However, the web identity provider is implemented in such a way that it also looks for As you say, the However, if the code uses the module-level |
Hi! Just pinging to see if there is motion on this request- it would make our use of cloudwatch log pushers (from the v1 awscli) much more flexible. |
Is your feature request related to a problem? Please describe.
I recently discovered that boto has the feature of assuming a role using a web identity if
AWS_ROLE_ARN
andAWS_WEB_IDENTITY_TOKEN_FILE
are provided.But it is not possible to assume a role (
AssumeRole
operation) using onlyAWS_ROLE_ARN
.The only way we have to assume role is to execute the following steps:
I am also open to suggestions on how to make that easier.
Describe the solution you'd like
I would like to be able to assume other roles by providing the
AWS_ROLE_ARN
env var.NOTE: I want to assume a role using
AssumeRole
, notAssumeRoleWithWebIdentity
Thanks!
The text was updated successfully, but these errors were encountered: