Assuming we have two AWS acounts: Account-A, Account-B and an ec2 instance running on AccountA.
aws ec2 describe-instances
works as expected for the instance's own account without an ~/.aws/credentials
file with an instance role.
My goal is to run aws ec2 describe-instances
for Account-B from this instance.
The following command works and outputs credentials:
$ aws sts assume-role --role-arn arn:aws:iam::012345678901:role/accountb-role --role-session-name test
However, this does not:
$ aws ec2 describe-instances --profile AccountB
'aws_access_key_id'
~/.aws/config
[default]
region = us-east-1
[profile AccountB]
role_arn = arn:aws:iam::012345678901:role/accountb-role
source_profile = default
As I mentioned, ~/.aws/credentials
does not exist as the instance uses an instance role for IAM.
accountb-role Trust Relationship Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::012345678900:role/accounta-role"
},
"Action": "sts:AssumeRole"
}
]
}
instance inline policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1490625590000",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::012345678901:role/accountb-role"
]
}
]
}
Both the accounta-role
instance role and accountb-role
also have the stock ReadOnlyAccess
IAM policy attached.
Best Answer
If anyone is still interested in the answer, you have to save the aws credentials to be able to use AccountB between these calls:
<< save aws_access_key_id, aws_secret_access_key, AWS_SESSION_TOKEN here>>
You then call
to make sure you have them set up. also, can AWS_SESSION_TOKEN expire after some time
This article explains in detail