Fork me on GitHub


Category: AWS


Assume an AWS IAM role from AWS API credentials in environment variables.

I like to use envdir when selecting AWS API keys for CLI usage. Assuming IAM roles is awkward on the CLI as you have to get the temporary role credentials via aws sts assume-role and manually extract them to an envdir or environment variables prior to running anything. I wrote envassume to give an envdir-like experience when assuming roles. It uses the current credentials to perform the STS request then extracts and replaces the environment variables with the temporary credentials for the child command e.g.

envassume arn:aws:iam::123456789012:role/example aws s3 ls

with an external ID e.g.

envassume -i external_id arn:aws:iam::123456789012:role/example aws s3 ls

The ARN and external ID can be set in the environment variables AWS_ASSUME_ROLE and AWS_ASSUME_ID e.g.

AWS_ASSUME_ROLE=arn:aws:iam::123456789012:role/example AWS_ASSUME_ID=external_id envassume aws s3 ls

Please note, if the ARN is set by environment variable, then no other envassume options can be set.

envassume is available on pypi and github.

Posted Sun 14 May '17 in AWS