AWScloud~5 mins

Assuming roles for temporary access in AWS - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes you need to access AWS resources temporarily with different permissions. Assuming a role lets you get temporary access without sharing permanent credentials.

When a developer needs to access a production AWS account from their personal account safely.

When an application running on one AWS account needs to access resources in another account.

When you want to give temporary access to a contractor without creating a permanent user.

When automating tasks that require elevated permissions only for a short time.

When switching between different permission sets in your own AWS environment.

Commands

This command asks AWS to give you temporary credentials by assuming the specified role. The role ARN identifies the role, and the session name is a label for this temporary session.

Terminal

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/example-role --role-session-name example-session

Expected OutputExpected

{ "Credentials": { "AccessKeyId": "ASIAEXAMPLE", "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "SessionToken": "AQoDYXdzEJr...<remainder of security token>", "Expiration": "2024-06-01T12:34:56Z" }, "AssumedRoleUser": { "AssumedRoleId": "AROACLKWSDQRAOEXAMPLE:example-session", "Arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session" } }

→

--role-arn - Specifies the Amazon Resource Name (ARN) of the role to assume.

→

--role-session-name - Gives a name to the session for tracking and identification.

Set environment variables with the temporary credentials from the previous command. This lets your AWS CLI or SDK use the assumed role permissions.

Terminal

export AWS_ACCESS_KEY_ID=ASIAEXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_SESSION_TOKEN=AQoDYXdzEJr...<remainder of security token>

Expected OutputExpected

No output (command runs silently)

Run a simple AWS CLI command to list S3 buckets using the temporary credentials. This verifies that you have assumed the role successfully and have access.

Terminal

aws s3 ls

Expected OutputExpected

2024-05-01 10:00:00 example-bucket 2024-05-02 11:00:00 another-bucket

Key Concept

If you remember nothing else from this pattern, remember: assuming a role gives you temporary, limited access without sharing permanent credentials.

Common Mistakes

Not exporting the temporary credentials as environment variables after assuming the role.

Without setting these variables, your AWS CLI or SDK will keep using your original credentials and not the assumed role's permissions.

Copy the AccessKeyId, SecretAccessKey, and SessionToken from the assume-role output and export them as environment variables before running AWS commands.

Using the wrong role ARN or session name in the assume-role command.

AWS will reject the request if the role ARN is incorrect or if you don't have permission to assume that role.

Double-check the role ARN and ensure your user or role has permission to assume it.

Summary

Use 'aws sts assume-role' to get temporary credentials for a role.

Export the returned credentials as environment variables to use them.

Run AWS commands with these temporary credentials to access resources securely.