arar: Assume Role And Run performs assume-role and run a command with that credentials.
Combination with AWS_ACCESS_KEY_ID and AWS_PROFILE environment variables doesn't allow assume-role. You must pass AWS_PROFILE without environment variables, e.g. with --profile
:
# This doesn't work as expected. This just result the identity of the IAM user with AWS_ACCESS_KEY_ID
AWS_ACCESS_KEY_ID=xxx \
AWS_SECRET_ACCESS_KEY=xxx \
AWS_PROFILE=assume-roling-profile \
aws sts get-caller-identity
And you cannot specify the role to assume with environment variable. You always need setup .aws/config
.
(Actually, you should use Web Identity for those situations if you could.)
Those limitations are really hard to use in CI/CD. arar
provides those mechanisms.
Download binary from Releases.
You can peerform assume-role like this:
AWS_ACCESS_KEY_ID=xxx \
AWS_SECRET_ACCESS_KEY=xxx \
AWS_REGION=us-east-1 \
AWS_ROLE_ARN=arn:aws:iam::xxxxxxxxxx:role/assumerole-role \
AWS_ROLE_SESSION_NAME=assumerole-user \
arar -- aws sts get-caller-identity
Also supports command line options (aws sts assume-role
compatible):
AWS_ACCESS_KEY_ID=xxx \
AWS_SECRET_ACCESS_KEY=xxx \
arar \
--region=ap-northeast-1 \
--role-arn=arn:aws:iam::xxxxxxxxxxx:role/assumerole-role \
--role-session-name=assumerole-user
-- \
aws sts get-caller-identity
Supports token codes with MFA devices:
arar \
--serial-number=arn:aws:iam::xxxxxxxxxxx:mfa/assumeroling-user
-- \
aws sts get-caller-identity
-u/--username-session
option sets the session name with IAM user name.
This is useful when the role is configured with "sts:RoleSessionName": "${aws:username}"
. (AWS Security Blog post).
arar -u -- aws sts get-caller-identity