AWS Command Line Interface
User Guide

Assuming an IAM Role in the AWS CLI

An AWS Identity and Access Management (IAM) role is an authorization tool that lets an IAM user gain additional (or different) permissions, or get permissions to perform actions in a different AWS account.

You can configure the AWS Command Line Interface (AWS CLI) to use an IAM role by defining a profile for the role in the ~/.aws/config file.

The following example shows a role profile named marketingadmin. If you run commands with --profile marketingadmin (or specify it with the AWS_DEFAULT_PROFILE environment variable), then the CLI uses the permissions assigned to the profile user1 to assume the role with the Amazon Resource Name (ARN) arn:aws:iam::123456789012:role/marketingadminrole. You can run any operations that are allowed by the permissions assigned to that role.

[profile marketingadmin] role_arn = arn:aws:iam::123456789012:role/marketingadminrole source_profile = user1

You must specify a source_profile that points to a separate named profile that contains IAM user credentials with permission to assume the role. In the previous example, the marketingadmin profile uses the credentials in the user1 profile. When you specify that an AWS CLI command is to use the profile marketingadmin, the CLI automatically looks up the credentials for the linked user1 profile and uses them to request temporary credentials for the specified IAM role. The CLI uses the sts:AssumeRole operation in the background to accomplish this. Those temporary credentials are then used to run the requested CLI command. The specified role must have attached IAM permission policies that allow the requested CLI command to run.

If you want to run a CLI command from within an Amazon EC2 instance, you can use an IAM role attached to an Amazon EC2 instance profile or an Amazon ECS container role. This enables you to avoid storing long-lived access keys on your instances. To do this, you use credential_source (instead of source_profile) to specify how to find the credentials. The credential_source attribute supports the following values:

  • Environment – to retrieve the credentials from environment variables.

  • Ec2InstanceMetadata – to use the IAM role attached to the Amazon EC2 instance profile.

  • EcsContainer – to use the IAM role attached to the Amazon ECS container.

The following example shows the same marketingadminrole role assumed by referencing an Amazon EC2 instance profile:

[profile marketingadmin] role_arn = arn:aws:iam::123456789012:role/marketingadminrole credential_source = Ec2InstanceMetadata

For more information, see AWS CLI Configuration Variables.

Configuring and Using a Role

When you run commands using a profile that specifies an IAM role, the AWS CLI uses the source profile's credentials to call AWS Security Token Service (AWS STS) and request temporary credentials for the specified role. The user in the source profile must have permission to call sts:assume-role for the role in the specified profile. The role must have a trust relationship that allows the user in the source profile to assume the role. The process of retrieving and then using temporary credentials for a role is often referred to as assuming the role.

You can create a new role in IAM with the permissions that you want users to assume by following the procedure under Creating a Role to Delegate Permissions to an IAM User in the AWS Identity and Access Management User Guide. If the role and the source profile's IAM user are in the same account, you can enter your own account ID when configuring the role's trust relationship.

After creating the role, modify the trust relationship to allow the IAM user (or the users in the AWS account) to assume it.

The following example shows a trust policy that you could attach to a role. This policy allows the role to be assumed by any IAM user in the account 123456789012, if the administrator of that account explicitly grants the sts:assumerole permission to the user.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "sts:AssumeRole" } ] }

The trust policy doesn't actually grant permissions. The administrator of the account must delegate the permission to assume the role to individual users by attaching a policy with the appropriate permissions. The following example shows a policy that you can attach to an IAM user that allows the user to assume only the marketingadminrole role. For more information about granting a user access to assume a role, see Granting a User Permission to Switch Roles in the IAM User Guide.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::123456789012:role/marketingadminrole" } ] }

The IAM user doesn't need to have any additional permissions to run the CLI commands using the role profile. Instead, the permissions to run the command come from those attached to the role. You attach permission policies to the role to specify which actions can be performed against which AWS resources. For more information about attaching permissions to a role (which works identically to an IAM user), see Changing Permissions for an IAM User in the IAM User Guide.

Now that you have the role profile, role permissions, role trust relationship, and user permissions properly configured, you can use the role at the command line by invoking the --profile option. For example, the following command calls the Amazon S3 ls command using the permissions attached to the marketingadmin role as defined by the example at the beginning of this topic.

$ aws s3 ls --profile marketingadmin

To use the role for several calls, you can set the AWS_DEFAULT_PROFILE environment variable for the current session from the command line. While that environment variable is defined, you don't have to specify the --profile option on each command.

Linux, macOS, or Unix

$ export AWS_DEFAULT_PROFILE=marketingadmin

Windows

C:\> setx AWS_DEFAULT_PROFILE=marketingadmin

For more information on configuring IAM users and roles, see Users and Groups and Roles in the IAM User Guide.

Using Multi-Factor Authentication

For additional security, you can require that users provide a one-time key generated from a multi-factor authentication (MFA) device, a U2F device, or mobile app when they attempt to make a call using the role profile.

First, modify the trust relationship on the IAM role to require MFA. For an example, see the Condition line in the following example.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/jonsmith" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:multifactorAuthPresent": true } } } ] }

Next, add a line to the role profile that specifies the ARN of the user's MFA device.

[profile marketingadmin] role_arn = arn:aws:iam::123456789012:role/marketingadmin source_profile = default mfa_serial = arn:aws:iam::123456789012:mfa/saanvi

The mfa_serial setting can take an ARN, as shown, or the serial number of a hardware MFA token.

Cross-Account Roles

You can enable IAM users to assume roles that belong to different accounts by configuring the role as a cross-account role. During role creation, set the role type to Another AWS account, as described in Creating a Role to Delegate Permissions to an IAM user. Optionally, select Require MFA. The Require MFA option configures the appropriate condition in the trust relationship, as described in Using Multi-Factor Authentication.

If you use an external ID to provide additional control over who can assume a role across accounts, you must also add the external_id parameter to the role profile. You typically use this only when the other account is controlled by someone outside your company or organization.

[profile crossaccountrole] role_arn = arn:aws:iam::234567890123:role/SomeRole source_profile = default mfa_serial = arn:aws:iam::123456789012:mfa/saanvi external_id = 123456

For more information, see AWS CLI Configuration Variables.

Clearing Cached Credentials

When you assume a role, the AWS CLI caches the temporary credentials locally until they expire. If your role's temporary credentials are revoked, you can delete the cache to force the AWS CLI to retrieve new credentials.

Linux, macOS, or Unix

$ rm -r ~/.aws/cli/cache

Windows

C:\> del /s /q %UserProfile%\.aws\cli\cache