Credentials for an IAM role assumed as an IAM user - AWS SDKs and Tools

Credentials for an IAM role assumed as an IAM user

This topic describes how to configure the shared AWS config and credentials files to support logging in to an AWS SDK or developer tool using an IAM role. The SDK or tool assumes the role using the credentials of a separate IAM user.

Scenario description

This scenario requires that you have two entities created in IAM:

  • An IAM user, that in this example we call UserAlpha. This user has IAM policy permissions that enable it to perform only the sts:AssumeRole operation.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" } ] }
  • An IAM role, that in this example we call RoleBeta. This role has a trust policy that enables all users in the account to assume the role.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::231179739868:root" }, "Action": "sts:AssumeRole", "Condition": {} } ] }

    It also has IAM permission policies that enable it to perform any task in Amazon S3.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }

How to configure the profile

The following example config and credentials files show how you can configure SDK or AWS developer tool access using RoleBeta.

Contents of config

[profile UserAlpha] region = us-west-2 output = json [profile RoleBeta] source_profile = UserAlpha role_arn = arn:aws:iam::123456789012:role/RoleBeta

Contents of credentials

[UserAlpha] aws_access_key_id = AKIAIOSFODNN7EXAMPLE aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

How to use the profile

As an example, you can run the following AWS CLI command to list the Amazon S3 buckets available in the account. The AWS CLI sees that RoleBeta profile references the source_profile UserAlpha. It looks up the UserAlpha access key and secret key, and uses them to call the sts:AssumeRole operation on the Amazon Resource Name (ARN) of RoleBeta. That operation returns short-term credentials for RoleBeta that the AWS CLI uses to call the s3:ListBuckets operation.

$ aws s3api list-buckets --profile RoleBeta { "Buckets": [ { "Name": "my-first-bucket", "CreationDate": "2018-08-31T07:46:02+00:00" }, { "Name": "my-second-bucket", "CreationDate": "2019-09-17T19:17:31+00:00" }, { "Name": "my-third-bucket", "CreationDate": "2018-06-12T23:18:08+00:00" } ], "Owner": { ...truncated... } }