How boto3 find assume role provider

Question

The main question I want to ask is how does boto3 find the IAM role.

I'm using the AWS EC2 instance to test the docker container. I assigned the IAM role to EC2 instance and didn't assign any AWS ACCESS configuration for Docker Images. But when I run the Docker images, I can use AWS resources assigned to IAM Role.

This is how boto3 finds credentials in boto3 documentation.

1. Passing credentials as parameters in the boto.client() method
2. Passing credentials as parameters when creating a Session object
3. Environment variables
4. Shared credential file (~/.aws/credentials)
5. AWS config file (~/.aws/config)
6. Assume Role provider
7. Boto2 config file (/etc/boto.cfg and ~/.boto)
8. Instance metadata service on an Amazon EC2 instance that has an IAM role configured.

I guess #8 is the way how boto3 find credential. But I want to know how this works clearly.

Answer 1

As you correctly pointed out it is through instance metadata.

The metadata has known format. Thus if boto3 can't find credentials in steps from 1 to 7 it will check the metadata.

The checking process is rather simple. You can do it yourself from within an instance or your own program.

For example, to manually get the credentials using curl you can do the following:

curl http://169.254.169.254/latest/meta-data/iam/info

which will output (example):

{
  "Code" : "Success",
  "LastUpdated" : "2020-06-19T05:08:31Z",
  "InstanceProfileArn" : "arn:aws:iam::xxxxxxx:instance-profile/EC2managementRole",
  "InstanceProfileId" : "AIPAI2GXQHM47WJLA2OTI"
}

Notice the there is arn of the instance profile.

You can also use

curl http://169.254.169.254/latest/meta-data/iam/security-credentials

which gives the role name associated with your instance profile:

EC2managementRole

Then to get the actual AccessKeyId, SecretAccessKey and Token which you can use in boto3 session to gain permission to the aws services, you can do:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2managementRole

which gives:

{
  "Code" : "Success",
  "LastUpdated" : "2020-06-19T05:08:04Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIASZHPM3xxxxxxxxxxxxxxx",
  "SecretAccessKey" : "ri7u3mK+ZMvork0xxxxxxxxxxxxxx",
  "Token" : "IQoJb3JpZ2luX2VjEIb//////////wEaCXVzLWVhc3QtMSJIMEYCIQDcmeIpspYPhLb7Ba/iNxYxxxxxxxxxxxxxxxvJCR4DqVK2+Ai/Kr0DCP7//////////wEQAhoMMTkxNjI4MTA2Mjg3Igz2SUVJuLKyZkc6U10qkQNcTZxwRIC1tSErfXRjKPrlpV6wIr478lujrBGHef6vtoVAy8X+HDRk3kWEmqKWscZFFIBLDm+vpsec9aIen70XZS4zNFyygIFW7NcTV3p6gggqR6ed3jycxrcaD7IAk8HVTbA6SqfPgE/B8VLwF9u9zEvPC3km7oxxxxxxxxxxxxxxxxxxxxxxxxxJDaJDaAStICJ0QgY10zOqDhHR7ENTEveKE5g+3RYeq4/GUCLkMmyI0f6PWxZ6OHrmORRnykYsUjuFvVjuODkrXF7JvZEAz/PkHCJJoXqf2aqZGyJ7J4jYHQZTU0QUg2IGZxZIBvP3g6a3+r8/74u//xebZmUwGn0YfvL4PZgsrJ7JUl40QjQ+iCab8i4rffho4f/g/em3u+DbZjGzWnQ3EhKYdVoMR//9yJH/TXzRTxNeoLeIXatpc6ftSNcP4aacqZs3TVAYb+geAzpLSlSrWUSy32Bdx31kGFBk/q5ErQ56S8zWJ/PN/NbbvSqUDYOW9ub0sBvKWAT7zDPkLH3BTrqAc6HExLUuRlUM9s5EhTXDkl3NpRJ45J4zvyxiEykqxbPACpG1SdgxxxxxxxxxxxxxxxxxxxxxxB/8eN040f/NgEpSltFXLWS6goIeuIMouYwdA8qBigwwfFF/02555eUJQWH0r+ReIZF7EQmTfdkBZKRqsKz1cVfHcscEZwD86MpfY7DU31Pi4eh9J6M2sgU6CGylAalYXAzPPgeCpQCkCGyKFHXs8D22lt2qCJxaQni7GqBeronHvVmxX9wzTxCWlm4Or423Pccqh3Lw6g+PfLB3SViSPb4aEw==",
  "Expiration" : "2020-06-19T11:43:31Z"
}

or a shortcut which will give same result as above:

curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance

The important thing here is that metadata service will refresh the credentials. So when you fetch the credentials from the metadata, you always get valid ones.