Script for assuming an AWS role at the command line
last updated: Mar 07, 2024
#!/usr/bin/env bash
# To use this script, run:
#
# $ eval $(bin/assume-role.sh)
#
# assume the required role and read the new credentials into an array
set -euo pipefail
# the ARN of the role you want to access
ROLE=arn:aws:iam::123456123456:role/SomeAccessRole
# the name to give it the assumed role session
NAME=some-access-role
# attempt to assume the role given by the ARN above, and read the short-lived
# credentials into an array named "creds" with three elements:
# [access key, secret key, session token]
if ! read -ra creds <<< "$(aws sts assume-role \
--role-arn $ROLE \
--role-session-name $NAME \
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
--output text)"; then
# we might be running with a role's no-longer-valid AWS environment
# variables, so unset them and attempt to try again. If the user has auth
# configured in their home dir, the next call will use those creds
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
read -ra creds <<< "$(aws sts assume-role \
--role-arn $ROLE \
--role-session-name $NAME \
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
--output text)"
fi
# print an export statement for each variable, so the user can eval them
printf 'export AWS_ACCESS_KEY_ID="%s"\n' "${creds[0]}"
printf 'export AWS_SECRET_ACCESS_KEY="%s"\n' "${creds[1]}"
printf 'export AWS_SESSION_TOKEN="%s"\n' "${creds[2]}"
script derived from this stackoverflow answer
I don't really like this method of getting creds with assume-role
, but it works for now. If you have a better way, definitely let me know.