AWS CLI configuration for assuming a different role

On a previous post we saw how to test we can assume a role using AWS CLI but how can we configure AWS CLI to assume an specific role before performing some request? We can do it using a profile to save us from the trouble of having to change three different environment variables.

The actual profile that we need to setup depends on how we have the current role. Let's assume we are using an instance profile, for other cases refer to the AWS documentation about this.

We'll have to modify the ~/.aws/config file adding a new profile as follows:

# cat config 
[profile test]
role_arn=arn:aws:iam::222222222222:role/test/demorole
credential_source = Ec2InstanceMetadata

This is telling AWS cli that for the profile named test; we are using the instance profile as source for assuming the role specified using role_arn.

To be able to use this profile we will have to set the variable AWS_PROFILE with the profile name, on this example it would be test:

# AWS_PROFILE=test aws s3 ls
2021-03-04 22:05:15 test-s3-bucket
2021-02-01 23:32:17 test-s4-bucket
2021-03-23 21:54:00 test-s5-bucket
(...)

Posted on 06/04/2021

Categories