AWS Role being assumed not being used for future CLI Commands

Question

I am trying to assume a role in a docker container but it doesn't seem like the role is sticking. Below is the output of aws sts assume-role followed by aws sts get-caller-identity

jenkins@0d4794bcdd62:~/.aws$ aws sts get-caller-identity
{
    "UserId": "ABCDEFG1234567:i-01234546789abc",
    "Arn": "arn:aws:sts::555555555555:assumed-role/jenkins-masterRole/i-01234546789abc",
    "Account": "555555555555"
}
jenkins@0d4794bcdd62:~/.aws$ aws sts assume-role --role-arn arn:aws:iam::555555555555:role/ec2/CloudFormationRole --role-session-name "test-session-name"
{
    "Credentials": {
        "Expiration": "2019-01-28T16:37:04Z",
        "SessionToken": "[redacted]",
        "AccessKeyId": "[redacted]",
        "SecretAccessKey": "[redacted]"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "[redacted]:test-session-name",
        "Arn": "arn:aws:sts::5555555555555:assumed-role/CloudFormationRole/test-session-name"
    }
}
jenkins@0d4794bcdd62:~/.aws$ aws sts get-caller-identity
{
    "Account": "555555555555",
    "UserId": "ABCDEFG1234567:i-01234546789abc",
    "Arn": "arn:aws:sts::555555555555:assumed-role/jenkins-masterRole/i-01234546789abc"
}

As you can see, the aws sts-assume role is working, but it doesn't seem like it is being applied. Below are the contents of my ~/.aws/config file

jenkins@0d4794bcdd62:~/.aws$ cat ~/.aws/config
[default]
region = us-east-1

I don't have any AWS CLI environment variables set except for AWS_CONFIG_FILE=~/.aws/config. Which I originally wasn't set, but I did that while testing.

Answer 1

You can also (ab)use the --query option to generate environment variable assignments for the temporary role credentials, like this:

$ roleSessionName=my-example-session

$ arnOfRoleToAssume=arn:aws:iam::123456789012:role/demo 

$ assumeRoleEnv=$(aws sts assume-role \
            --role-session-name="$roleSessionName" \
            --role-arn="$arnOfRoleToAssume"\
            --output text \
            --query='Credentials.[
              join(`=`, [`AWS_ACCESS_KEY_ID`, AccessKeyId]),
              join(`=`, [`AWS_SECRET_ACCESS_KEY`, SecretAccessKey]),
              join(`=`, [`AWS_SESSION_TOKEN`, SessionToken])
          ]')

$ eval "export $assumeRoleEnv"

$ aws sts get-caller-identity # this and further aws calls use the assumed role

One advantage of this is not having to mess with shared config/credentials. For example, that's why I chose this approach in awscli-with-assume-role (Docker image).

Answer 2

Calling assume-role is not going to change the configuration of the AWS CLI. AWS CLI is using the credentials stored in ~/.aws/credentials to make the calls. The ones returned by assume-role are not copied automatically to AWS CLI configuration file, they are just displayed on your screen.

So, one naive way to solve your problem, would be to copy / paste the access key, secret key and session id to ~/.aws/credentials Of course, this would not scale, nor be convenient. There is a better way.

You can configure a profile in the CLI to use the role you want. Assuming that your base identity has permission to assume the role (which you do as per your call to assume-role in your question)

This is how I configured my ~/.aws/config file to get temporary access to my personal account, from my work account. Of course the same technique also works within the same account.

[default]
region=eu-west-1

[profile perso]
region=eu-west-1
role_arn=arn:aws:iam::[redacted]:role/admin
source_profile=default

The role ARN is the role you want to assume in the target account.

then you can simply type :

aws --profile perso s3 ls

to switch role.