8

I have account A from which I assumed the role for account B. Now since my work is done I want to assume a role for account C. But since only Account A can assume a role for account C and B can't, I am unable to do so.

Any way I can invalidate/switch users for an assumed role? The minimum timeout is 15 mins which would be too much wait for a user.

Edit: Trying to achieve it via AWS CLI

Running below command:

aws sts assume-role --role-arn **** --role-session-name jenkins --external-id ****
SHR
  • 7,940
  • 9
  • 38
  • 57
ANKIT SHARMA
  • 83
  • 1
  • 4
  • Is this question about the web interface, command-line tools, the API, or some kind of library? – IMSoP Jan 07 '21 at 12:34
  • Its for CLI ( running via jenkins ), appended the original question with this info. – ANKIT SHARMA Jan 07 '21 at 12:40
  • OK. Could you [edit] in a sample of the commands you're currently running? Remember that all the details that are obvious to you are completely invisible to anyone else unless you share them. – IMSoP Jan 07 '21 at 12:43

2 Answers2

7

As I understood you use assume-role, you get a set of credentials like below

    {
        "AssumedRoleUser": {
            "AssumedRoleId": "AROA3XFRBF535PLBIFPI4:s3-access-example",
            "Arn": "arn:aws:sts::123456789012:assumed-role/xaccounts3access/s3-access-example"
        },
        "Credentials": {
            "SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
            "SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
            "Expiration": "2016-03-15T00:05:07Z",
            "AccessKeyId": "ASIAJEXAMPLEXEG2JICEA"
        }
    }

Those credentials you export or use directly while running the command.

  1. When you use them directly then you only using the credentials for the specific command, in the next command you are again back to Account A.

  2. When you export, you easily call unset command to unset the exported var you'll be back to Account A and then you call assume-role again and export the credentials for account C.

samtoddler
  • 8,463
  • 2
  • 26
  • 21
-1

You don't need to "drop" the assumed role if you're using CLI.

You should use named profiles and execute commands in different accounts by specifying profile name explicitly with --profile CLI switch, or alternatively by changing AWS_PROFILE env variable between commands.

Oleksii Donoha
  • 2,911
  • 10
  • 22
  • Unfortunately setting AWS_PROFILE to, say, default profile still tries to execute commands on behalf of the previously assumed role. – Viji Jul 29 '22 at 12:08
  • @Viji, you probably didn't clear out all the AWS_* environment variables from your environment. You could try wrapping the commands that set the environment variables with '(' and ')'. Outside the parentheses, anything set in the environment disappears, and you are back to your default profile. – jkeatley Oct 04 '22 at 21:10