How to switch role in AWS CLI when logged in as an Identity Center user?
I have configured the AWS CLI to use IAM Identity Center for authentication as recommended here https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-authentication.html. As such I have followed the recommended guide at https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html to set up the CLI. For now, everything is working fine. The problem is I need to use an IAM role to perform some tasks via the CLI and I don't see how.
The IAM role that I have to assume is defined as
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::123456789012user/User1", "arn:aws:iam::123456789012:user/User2" ] }, "Action": "sts:AssumeRole" } ] }
As you can see, I have allowed to IAM users the ability to assume this role. But I have no idea how I can let an Identity Center user to assume this role. Moreover, how do I tell the CLI to perform actions by assuming a role? I see this documentation https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-role-overview but this again asks for a source profile.
- 新しい順
- 投票が多い順
- コメントが多い順
Thanks to kentrad's answer, I found a good solution to this.
First run the below while logged into the CLI with the SSO user you want to add
aws sts get-caller-identity --query Arn --output tex
This should generate an output like
arn:aws:sts::123456789012:assumed-role/ROLEID:SSOUSER
Whatever gets generated, just put it into the policy like
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::123456789012:user/User1", "arn:aws:iam::123456789012:user/User2", "arn:aws:sts::123456789012:assumed-role/ROLEID:SSOUSER" ] }, "Action": "sts:AssumeRole" } ] }
That should be enough to get the SSO user to be able to assume that role.
You can add your role ARN to the trust policy of the role you want to assume. You can find your ARN using the following CLI commands.
RoleId=$(aws sts get-caller-identity --query UserId --output text | cut -f1 -d':')
aws iam list-roles --query Roles[?RoleId==\`$RoleId\`].Arn
Once the trust policy is updated you can issues the aws sts assume-role command to get the access key id and secret key for the new role.
You can also something like this:
RoleId=$(aws sts get-caller-identity --query Arn --output text)
aws iam list-roles --query Roles[?RoleId==\`$RoleId\`].Arn
関連するコンテンツ
AWS公式更新しました 2年前
So, the
RoleIdthat is getting fetched here is the role that was created in IAM for the Permission set created in Identity Center, right? In that case, won't all users in Identity Center having this permission set get added to the trust policy? Is it not possible to only add a user from Identity Center? Would it be possible to useFederatedor something?