Can i replace aws keys with IAM role in .aws/credentials for boto3 usage?

Question

I tried to use the role as:

~/.aws/credentials
[default]
role_arn=arn:aws:iam::xxxxxxx:role/yyyy

but i get error:

Partial credentials found in assume-role, missing: source_profile or credential_source

so it seems IAM role cannot replace

[default]
aws_access_key_id = AAAAAAAAAAAAAAAAAAAAAAAA
aws_secret_access_key =  BBBBBBBBBBBBBBBBBBBBBBBBBBB

since as per http://boto3.readthedocs.io/en/latest/guide/configuration.html

# In ~/.aws/credentials:
[development]
aws_access_key_id=foo
aws_access_key_id=bar

# In ~/.aws/config
[profile crossaccount]
role_arn=arn:aws:iam:...
source_profile=development

I would still have to use keys, which could be a security risk, even though not being used in the code

Is there a way to use boto3 with admin privileges without using aws API credentials?

so basically:

1. Associate "admin" role to the ec2 instance, which you are going to use to run your boto3 scripts
2. Make sure it looks good. $curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

3. test boto3 script

   #!/usr/bin/env python import boto3
ec2_client = boto3.client('ec2')
def main(): vpcs = ec2_client.describe_vpcs() for vpc_info in vpcs['Vpcs']: print(vpc_info['VpcId'])
if name == "main": main()

I came across an Application on github which addresses this issue:

https://github.com/AdRoll/hologram

Answer 1

If you have a role attached to the EC2 instance you can use:

~/.aws/config

[default]
credential_source=Ec2InstanceMetadata

---

https://docs.aws.amazon.com/cli/latest/topic/config-vars.html

credential_source - The credential provider to use to get credentials for the initial assume-role call. This parameter cannot be provided alongside source_profile. Valid values are:

Environment to pull source credentials from environment variables.

Ec2InstanceMetadata to use the EC2 instance role as source credentials.

EcsContainer to use the ECS container credentials as the source credentials.

---