Assuming an IAM role using the AWS CLI

If you’re adhering to best practices when using AWS IAM and working with roles when doing a task in another AWS account then you will have probably used the assume-role functionality.

While setting up my AWS CLI to work on an external AWS account I encountered an issue with the external role ARN.

When configuring the AWS CLI to assume a role, you can’t use the account alias but have to use the account ID in the role ARN.

Initially my ~/.aws/config looked like this

[profile other-account]
output = json
region = eu-central-1
role_arn = arn:aws:iam::MyOtherAccount:role/RoleToAssume
source_profile = sinax-michaelanckaert
mfa_serial = arn:aws:iam::123456789012:mfa/MichaelAnckaert

Which I assumed would work, I kept however getting AccessDenied errors despite having the correct policies applied.

As it turns out the Account Alias doesn’t work in the CLI config (or the role ARN) and you need the specify the account number:

role_arn = arn:aws:iam::234567890123:role/RoleToAssume

This didn’t strike me as obvious but well, lesson learned!

On the bright side: now I no longer have to ask for an access and secret key from the other AWS account and we can do things the right way šŸ˜‰

Geef een reactie