Skip to content

feat: Support role_arn and source_profile for IAM role assumption#83

Merged
huseyinbabal merged 1 commit intomasterfrom
feature/assume-role
Jan 15, 2026
Merged

feat: Support role_arn and source_profile for IAM role assumption#83
huseyinbabal merged 1 commit intomasterfrom
feature/assume-role

Conversation

@huseyinbabal
Copy link
Owner

@huseyinbabal huseyinbabal commented Jan 15, 2026

Summary

Add support for assuming IAM roles using role_arn and source_profile configuration in ~/.aws/config. This is a common pattern in enterprise environments for cross-account access and least-privilege security.

Closes #13

Changes

  • Parse config options: role_arn, source_profile, external_id, role_session_name, duration_seconds, region
  • Recursive resolution: source_profile can point to another profile that also uses role assumption (chained roles)
  • STS AssumeRole: Call STS API with SigV4 signed HTTP requests
  • Credential caching: Cache temporary credentials with automatic refresh before expiration
  • Credential chain: Integrated at priority 3 (after SSO, before credentials file)

Example Configuration

[profile base]
region = us-east-1

[profile production]
role_arn = arn:aws:iam::123456789012:role/ProductionAccess
source_profile = base
region = us-west-2

[profile partner-account]
role_arn = arn:aws:iam::987654321098:role/PartnerAccess
source_profile = base
external_id = my-external-id

Supported Options

Option Required Description
role_arn Yes ARN of the IAM role to assume
source_profile Yes Profile to use for source credentials
external_id No External ID for cross-account trust policies
role_session_name No Custom session name (default: taws-session)
duration_seconds No Session duration in seconds (default: 3600)
region No Region for STS endpoint

Testing

  • Added unit tests for XML parsing, error handling, and caching
  • All 64 tests pass
  • Builds successfully on release profile

@huseyinbabal
feat: Support role_arn and source_profile for IAM role assumption
360eb0e 
Add support for assuming IAM roles using role_arn and source_profile
configuration in ~/.aws/config. This is a common pattern for:
- Cross-account AWS access
- Least-privilege access patterns
- Chained role assumption

Implementation:
- Parse role_arn, source_profile, external_id, role_session_name,
  duration_seconds from config file
- Recursively resolve source_profile credentials (supports chained roles)
- Call STS AssumeRole API with SigV4 signed requests
- Cache temporary credentials with automatic refresh before expiration
- Integrate into credential chain (priority 3, after SSO)

Supported config options:
- role_arn (required): ARN of role to assume
- source_profile (required): Profile for source credentials
- external_id (optional): For cross-account trust policies
- role_session_name (optional): Custom session name
- duration_seconds (optional): Session duration
- region (optional): Region for STS endpoint

Closes #13
@huseyinbabal huseyinbabal merged commit 510a9be into master Jan 15, 2026
4 checks passed
@huseyinbabal huseyinbabal deleted the feature/assume-role branch January 15, 2026 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support role_arn and source_profile for role assumption

1 participant

@huseyinbabal