By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to switch role in AWS CLI when logged in as an Identity Center user?

0

I have configured the AWS CLI to use IAM Identity Center for authentication as recommended here https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-authentication.html. As such I have followed the recommended guide at https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html to set up the CLI. For now, everything is working fine. The problem is I need to use an IAM role to perform some tasks via the CLI and I don't see how.

The IAM role that I have to assume is defined as

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012user/User1",
                    "arn:aws:iam::123456789012:user/User2"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

As you can see, I have allowed to IAM users the ability to assume this role. But I have no idea how I can let an Identity Center user to assume this role. Moreover, how do I tell the CLI to perform actions by assuming a role? I see this documentation https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-role-overview but this again asks for a source profile.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Command Line InterfaceAWS IAM Identity CenterIAM Policies
Language
English
profile picture
Sayak
asked a year ago855 views
2 Answers
0
Accepted Answer

Thanks to kentrad's answer, I found a good solution to this.

First run the below while logged into the CLI with the SSO user you want to add

aws sts get-caller-identity --query Arn --output tex

This should generate an output like

arn:aws:sts::123456789012:assumed-role/ROLEID:SSOUSER

Whatever gets generated, just put it into the policy like

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:user/User1",
                    "arn:aws:iam::123456789012:user/User2",
                    "arn:aws:sts::123456789012:assumed-role/ROLEID:SSOUSER"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

That should be enough to get the SSO user to be able to assume that role.

profile picture
Sayak
answered a year ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
0

You can add your role ARN to the trust policy of the role you want to assume. You can find your ARN using the following CLI commands.

RoleId=$(aws sts get-caller-identity --query UserId --output text | cut -f1 -d':')
aws iam list-roles --query Roles[?RoleId==\`$RoleId\`].Arn

Once the trust policy is updated you can issues the aws sts assume-role command to get the access key id and secret key for the new role.

You can also something like this:

RoleId=$(aws sts get-caller-identity --query Arn --output text)
aws iam list-roles --query Roles[?RoleId==\`$RoleId\`].Arn
profile pictureAWS
EXPERT
kentrad
answered a year ago
  • Sayak
    a year ago

    So, the RoleId that is getting fetched here is the role that was created in IAM for the Permission set created in Identity Center, right? In that case, won't all users in Identity Center having this permission set get added to the trust policy? Is it not possible to only add a user from Identity Center? Would it be possible to use Federated or something?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content