Equivalent to "switch role" in AWS Console in AWS CLI

Question

On the AWS console, I can switch between different roles (see screenshot).

I am using a Docker Image where I am running Linux. I have also a credentials file with temporary AWS credentials. I can start the docker container setting the AWS_PROFILE to one of the roles in my credentials file. Then, I would like to "switch" the role to a different one defined in IAM.

How can I do this? Is this possible?

Thanks!

`assume-role` : https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/ — luk2302, Mar 09 '23 at 19:04
Does this answer your question? [AWS sts assume role in one command](https://stackoverflow.com/questions/63241009/aws-sts-assume-role-in-one-command) — fedonev, Mar 09 '23 at 19:17
In this solution, I need to create a user, what I am not allowed inside my organization... — Pablo Cosio, Mar 09 '23 at 19:24

Ben Whaley · Answer 1 · 2023-03-09T19:47:11.400

You can assume the role. Using the CLI it would look like:

aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name AWSCLI-Session

The output of the command contains an access key, secret key, and session token that you can use to authenticate to AWS:

{
    "AssumedRoleUser": {
        "AssumedRoleId": "AROA3XFRBF535PLBIFPI4:s3-access-example",
        "Arn": "arn:aws:sts::123456789012:assumed-role/xaccounts3access/s3-access-example"
    },
    "Credentials": {
        "SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
        "SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
        "Expiration": "2016-03-15T00:05:07Z",
        "AccessKeyId": "ASIAJEXAMPLEXEG2JICEA"
    }
}

Now you can set your environment variables to those outputs and you'll be using the new role.

In Python it would look something like this:

import boto3
session = boto3.Session(profile_name="learnaws-test")

sts = session.client("sts")
response = sts.assume_role(
    RoleArn="arn:aws:iam::xxx:role/s3-readonly-access",
    RoleSessionName="learnaws-test-session"
)

new_session = boto3.Session(aws_access_key_id=response['Credentials']['AccessKeyId'],
                      aws_secret_access_key=response['Credentials']['SecretAccessKey'],
                      aws_session_token=response['Credentials']['SessionToken'])
s3 = new_session.client("s3")
s3.list_buckets()

I have already tried your first approach, however when I am trying to get the current role (aws sts get-caller-identity) after running the command aws sts assume-role ..., I am still getting the initial role. Because of some kind of reason, it is not assuming the new role. In the AWS Console, I have no problems to switch to the role. — Pablo Cosio, Mar 09 '23 at 19:24
@PabloCosio the `assume-role` call returns new credentials, you need to use / set those credentials in your shell for them to have any effect. — luk2302, Mar 09 '23 at 19:47

score 2 · Answer 2 · answered Mar 09 '23 at 20:53

You can store an IAM Role as a profile in the AWS CLI and it will automatically assume the role for you.

Here is an example from Using an IAM role in the AWS CLI - AWS Command Line Interface:

[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
source_profile = user1

This is saying:

If a user specifies --profile marketingadmin
Then use the credentials of profile user1
To call AssumeRole on the specified role

This means you can simply call a command like this and it will assume the role and use the returned credentials automatically:

aws s3 ls --profile marketingadmin

See also: AWS sts assume role in one command

Equivalent to "switch role" in AWS Console in AWS CLI

2 Answers2