How can I use the AWS CLI to make AssumeRole calls and store temporary user credentials?
I want to get credentials from AssumeRoleWithSAML, AssumeRole, and AssumeRoleWithWebIdentity operations using the AWS Command Line Interface (AWS CLI).
Resolution
To get credentials from AssumeRoleWithSAML, AssumeRole, and AssumeRoleWithWebIdentity, complete the following steps to call the API and save the output to a text file. Then, use the output to call an API command with the AWS CLI.
Important:
- If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
- The parameters role-arn and role-session-name are required.
AssumeRoleWithSAML
Note: You must have a valid SAML 2.0 response from your identify provider and an IAM role that trusts the IdP.
Get the SAML Response from developer tools.
1. Follow the instructions for How to view a SAML response in your browser for troubleshooting.
2. Scroll to the logs, and then open the SAML log file.
3. Copy the entire SAML response.
4. Paste the SAML response into a file in the local directory that's named samlresponse.log. Then, run assume-role-with-saml to call the STS token:
Note: This example uses awk. Awk is compatible with Linux based distributions.
aws sts assume-role-with-saml --role-arn arn:aws:iam::ACCOUNTNUMBER:role/IAM_ROLE --principal-arn arn:aws:iam::ACCOUNTNUMBER:saml-provider/SAML_PROVIDER --saml-assertion file://samlresponse.log awk -F: ' BEGIN { RS = "[,{}]" ; print "[PROFILENAME]"} /:/{ gsub(/"/, "", $2) } /AccessKeyId/{ print "aws_access_key_id = " $2 } /SecretAccessKey/{ print "aws_secret_access_key = " $2 } /SessionToken/{ print "aws_session_token = " $2 } ' >> ~/.aws/credentials
This saves the credentials in a profile inside the ~/.aws/credentials file.
5. (Optional) To back up the credentials, run this command:
cp -a ~/.aws/credentials ~/.aws/credentials.bak.
Tip: Make sure that you have a matching profile in ~/.aws/config with the output and Region set, so that you're not repeatedly prompted to enter it.
6. Call the user credentials with the --profile parameter:
aws ec2 describe-instances --profile PROFILENAME
Example assume-role-with-saml output without piping to a file:
{ "SubjectType": "persistent", "AssumedRoleUser": { "AssumedRoleId": "ROLE_ID_NUMBER:example@corp.example.com", "Arn": "arn:aws:sts::ACCOUNTNUMBER:assumed-role/ROLE_ID/example@corp.example.com" }, "Audience": "https://signin.aws.amazon.com/saml", "NameQualifier": "RANDOM_GENERATED_STRING", "Credentials": { "SecretAccessKey": "SECRET_ACCESS_KEY", "SessionToken": "TOKEN_KEY", "Expiration": "2015-05-11T20:00:49Z", "AccessKeyId": "ACCESS_KEY_ID" }, "Subject": "CORP\\\\EXAMPLE", "Issuer": "http://SERVER_NAME.corp.example.com/adfs/services/trust" }
Example assume-role-with-saml output piped to the credentials file:
aws_access_key_id = ACCESS_KEY_ID aws_session_token = SESSION_TOKEN aws_secret_access_key = SECRET_ACCESS_KEY [PROFILENAME]
AssumeRole
Note: Your IAM credentials must trust the IAM role you assume.
1. Run the AWS command get-caller-identity to verify a response:
aws sts get-caller-identity
Note: If you don't receive a response, check whether a valid IAM access or secret key is stored in the .aws/credentials file.
2. Run the assume-role command:
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/ExampleRole --role-session-name ExampleSession
You receive a response similar to the following one:
{ "AssumedRoleUser": { "AssumedRoleId": "AROAZRG5BQ2L7OB87N3RE:ExampleSession", "Arn": "arn:aws:sts::123456789012:assumed-role/RoleA/ExampleSession" }, "Credentials": { "SecretAccessKey": "JCNFKY7XCUwHWTKcQhmmFokpjLetCmNLZ7pg9SJe", "SessionToken": "FwoGZXIvYXdzEL7//////////wEaDNoBLBJUNYWKaHXZXCKvARBGJ4CqOs+p2JR2a7Euni0d0XuSs31ZA/1QqpX6Spfuz2WAvHCyqwbE3+oxyvyqYlO8dTJwp56YCFCJ6K4Prt9pMeZU9R5NGBJHvRbXXKfxp+jktLc/ItrAfn4GMXWpoyJKZrY7hzv3MASomlIcwSD/RqWIBS1vAoo1UAxwjy29jai0OAPQ51LAnuFKeabgmllyP5Y2gu488P19D7ikfgQtmBtH5I/Q8+5IEn4qMwYo1bq/8wUyLe1b3+mQwhq+zEz4TSyHD8HBXd9W3KYcB53MIotwiJNS+m0P5ZlZnpcJm3JwtA==", "Expiration": "2020-03-16T21:11:01Z", "AccessKeyId": "ASIAZRG8BQ4K2EBXGR42” } }
3. Export AccessKeyId, SecretAccessKey, and SessionToken into the environmental variables:
export AWS_ACCESS_KEY_ID=ASIAZRG8BQ4K2EBXGR42 export AWS_SECRET_ACCESS_KEY=JCNFKY7XCUwHWTKcQhmmFokpjLetCmNLZ7pg9SJe export AWS_SESSION_TOKEN=FwoGZXIvYXdzEL7//////////wEaDNoBLBJUNYWKaHXZXCKvARBGJ4CqOs+p2JR2a7Euni0d0XuSs31ZA/1QqpX6Spfuz2WAvHCyqwbE3+oxyvyqYlO8dTJwp56YCFCJ6K4Prt9pMeZU9R5NGBJHvRbXXKfxp+jktLc/ItrAfn4GMXWpoyJKZrY7hzv3MASomlIcwSD/RqWIBS1vAoo1UAxwjy29jai0OAPQ51LAnuFKeabgmllyP5Y2gu488P19D7ikfgQtmBtH5I/Q8+5IEn4qMwYo1bq/8wUyLe1b3+mQwhq+zEz4TSyHD8HBXd9W3KYcB53MIotwiJNS+m0P5ZlZnpcJm3JwtA==
4. Verify the Identity:
aws sts get-caller-identity
The output shows the identity credentials from the assume-role call.
AssumeRoleWithWebIdentity
Note: You must have a valid OAuth 2.0 access token, an OpenID Connect token, and an IAM role that trusts the IdP.
1. Run the assume-role command similar to the following one:
aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789012:role/FederatedWebIdentityRole --role-session-name ExampleSession --web-identity-token Atza%7CIQEBLjAsAhRFiXuWpUXuRvQ9PZL3GMFcYevydwIUFAHZwXZXXXXXXXXJnrulxKDHwy87oGKPznh0D6bEQZTSCzyoCtL_8S07pLpr0zMbn6w1lfVZKNTBdDansFBmtGnIsIapjI6xKR02Yc_2bQ8LZbUXSGm6Ry6_BG7PrtLZtj_dfCTj92xNGed-CrKqjG7nPBjNIL016GGvuS5gSvPRUxWES3VYfm1wl7WTI7jn-Pcb6M-buCgHhFOzTQxod27L9CqnOLio7N3gZAGpsp6n1-AJBOCJckcyXe2c6uD0srOJeZlKUm2eTDVMf8IehDVI0r1QOnTV6KzzAI3OY87Vd_cVMQ
Example response:
{ "SubjectFromWebIdentityToken": "amzn1.account.AF6RHO7KZU5XRVQJGXK6HB56KR2A" "Audience": "client.5498841531868486423.1548@apps.example.com", "AssumedRoleUser": { "Arn": "arn:aws:sts::123456789012:assumed-role/FederatedWebIdentityRole/ExampleSession", "AssumedRoleId": "AROACLKWSDQRAOEXAMPLE:ExampleSession" } "Credentials": { "AccessKeyId": "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY", "SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE", "Expiration": "2020-05-19T18:06:10+00:00" }, "Provider": "www.amazon.com"
2. Save AccessKeyId, SecretAccessKey, and SessionToken in the .aws/credentials file:
[ExampleRoleProfile] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY aws_session_token=AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE
3. Run the get-caller-identity command:
aws sts get-caller-identity --profile ExampleRoleProfile
The output shows the identity credentials from the assume-role call similar to the following one:
{ "UserId": "AROACLKWSDQRAOEXAMPLE:ExampleSession", "Account": "123456789012", "Arn": "arn:aws:sts::123456789012:assumed-role/FederatedWebIdentityRole/ExampleSession" }
Related information
How do I grant my Active Directory users access to the API or AWS CLI with AD FS?
Configuring federated identity with the AWS Tools for PowerShell
Related videos
Relevant content
- asked a year agolg...
- Accepted Answerasked 2 years agolg...
- asked 2 years agolg...
- Accepted Answerasked 3 years agolg...
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago