Feature request: Assume role with EC2 instance profile as the source profile
Problem
Right now you can execute commands using credentials from one of these sources: root credentials, IAM credentials, temporary credentials from an EC2 instance profile, and temporary credentials from assuming a role via IAM credentials. I would like to execute commands by using temporary credentials from assuming a role via the EC2 instance profile. I need this ability because I'm using two AWS accounts and I'm using an EC2 instance to run AWS CLI commands against both accounts. The EC2 instance profile allows me to perform tasks for one account, but I need to assume a cross-account role to perform tasks for the other account. Unfortunately there is no way to get AWS CLI to assume the cross-account role even though the EC2 instance profile has permissions to assume that role. I tried removing the source_profile property from my role-based profile in hopes that the source_profile would use the instance profile, but that failed. After looking at AssumeRoleProvider in awscli/customizations/assumerole.py, I see that AWS CLI can only assume a role if the source profile has actual credentials in the config file. So currently that excludes any use of an instance profile to assume a different role.
Unverified for your environment
Select your OS to check compatibility.
1 Fix
Enable EC2 Instance Profile to Assume Cross-Account Role
The AWS CLI currently requires a source profile with actual credentials to assume a role, which prevents the use of temporary credentials from an EC2 instance profile for cross-account role assumption. This limitation arises because the AssumeRoleProvider in the AWS CLI does not support instance profiles as a source for role assumption.
Awaiting Verification
Be the first to verify this fix
- 1
Create a Role in Target Account
In the target AWS account, create an IAM role that grants the necessary permissions for the tasks you want to perform. Ensure that the role has a trust relationship with the EC2 instance profile from the source account.
bashaws iam create-role --role-name CrossAccountRole --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::SOURCE_ACCOUNT_ID:role/INSTANCE_PROFILE_ROLE"},"Action":"sts:AssumeRole"}]}' - 2
Update EC2 Instance Profile Permissions
Update the permissions of the EC2 instance profile in the source account to allow it to assume the newly created role in the target account.
bashaws iam put-role-policy --role-name INSTANCE_PROFILE_ROLE --policy-name AssumeCrossAccountRolePolicy --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"sts:AssumeRole","Resource":"arn:aws:iam::TARGET_ACCOUNT_ID:role/CrossAccountRole"}]}' - 3
Assume the Role Using AWS CLI
Use the AWS CLI on the EC2 instance to assume the role in the target account. This command will retrieve temporary credentials for the assumed role.
bashaws sts assume-role --role-arn arn:aws:iam::TARGET_ACCOUNT_ID:role/CrossAccountRole --role-session-name MySession - 4
Export Temporary Credentials
Export the temporary credentials received from the assume-role command as environment variables to use them for subsequent AWS CLI commands.
bashexport AWS_ACCESS_KEY_ID=ACCESS_KEY_ID; export AWS_SECRET_ACCESS_KEY=SECRET_ACCESS_KEY; export AWS_SESSION_TOKEN=SESSION_TOKEN - 5
Run AWS CLI Commands
Now that the temporary credentials are set, you can run AWS CLI commands against the target account using the assumed role permissions.
bashaws s3 ls
Validation
To confirm the fix worked, run an AWS CLI command that requires permissions from the assumed role in the target account. If the command executes successfully without permission errors, the fix is validated.
Sign in to verify this fix
Environment
Submitted by
Alex Chen
2450 rep