assume-role-arn is a simple golang binary that can be used in CI/CD pipelines, so you don't need any external dependencies while assuming cross-account roles from your environment. No need to install python/awscli and jq.
- no need to setup awscli profiles
- no dependencies, released as binary
- ability to execute in-line commands
- supports external id
- supports source profile in shared credentials files
- made with
$ eval $(assume-role-arn -r <role_arn>) $ aws sts get-caller-identity
$ assume-role-arn -r <role_arn> aws sts get-caller-identity
-r role_arn- required, role ARN
-e external_id- optional, if you need to specify external id
-n role_session_name- probably you don't need this
CI/CD pipeline example
Let's say we have three AWS accounts:
You have your IAM deployment user only on
iam account, but it can assume cross-account roles in
Make sure you have your
AWS_SECRET_ACCESS_KEY exported in your pipeline's env variables.
Go to Releases and select binary from the last release you want to use. For v0.2 and linux it would be https://github.com/nordcloud/assume-role-arn/releases/download/v0.2/assume-role-arn-linux
Add following steps in the beginning of your deployment script:
curl https://github.com/nordcloud/assume-role-arn/releases/download/v0.2/assume-role-arn-linux -o /usr/local/bin/assume-role-arn chmod +x /usr/local/bin/assume-role-arn eval $(assume-role-arn -r arn:aws:iam::ACCOUNT_NUMBER_STG:role/Deployment)
Please adjust output path of curl command and role ARN according to your needs.
Now you should be able to execute AWS-related commands with your assumed role.
- Jakub Woźniak, Nordcloud