How do I assume a role

Question

I am using the CLI to try and I want to retrieve a value from secrets manager. My IAM user doesn't have access to retrieve secrets but it does have access to assume a role (deploy_role) that does have access.  I'm unsure of how to set up the credentials profile to auth into that IAM user as well as assume the role.  My credentials file looks like this:

[default]
aws_access_key_id=[my iam user's access key]
aws_secret_access_key=[my iam user's secret access key]
region=us-east-1

Is there a way to set up credentials to auth as that IAM user as well as assume the role (deploy_role)? Or, do I need to somehow do it after it is authed with a separate command.  I would like to not have a second command because when I get into the .Net SDK, I don't want to check in code that lists the specific role info.

Thank you!
Cindy

kentrad · Answer

Something like this:

```
aws sts assume-role \
   --role-arn  \
   --role-session-name  \
   --duration-seconds 3600 \
   --output text \
   --query Credentials.[SessionToken,SecretAccessKey,AccessKeyId,Expiration]"

export AWS_SESSION_TOKEN=$(echo $credentials | cut -f1 -d' ')
export AWS_SECRET_ACCESS_KEY=$(echo $credentials | cut -f2 -d' ')
export AWS_ACCESS_KEY_ID=$(echo $credentials | cut -f3 -d' ')
export AWS_SESSION_EXPIRATION=$(echo $credentials | cut -f4 -d' ')
```
If you are on an EC2 instance you can assign a role to the instance. See: [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)

How do I assume a role

Relevant content