Bootstrap FreeKB - Amazon Web Services (AWS) - Assume Role or Switch Role using the AWS CLI
Amazon Web Services (AWS) - Assume Role or Switch Role using the AWS CLI
Updated:   |  Amazon Web Services (AWS) articles

This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.

Let's say you have a user that has not been granted permission to do something, such as using the aws s3api list-buckets command to return the list of S3 Buckets that have been created. Perhaps Access Denied is returned.

~]$ aws s3api list-buckets --profile johndoe
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

 

The aws iam list-attached-user-policies command can be used to list the Permission Policies attached to a user. Check out my article Permission Policy vs Trust Policy. Perhaps john.doe does not have any Permission Policies attached yet.

~]$ aws iam list-attached-user-policies --user-name john.doe
{
    "AttachedPolicies": []
}

 

Or does not have a Permission Policy attached that allows S3:ListBuckets.

]$ aws iam list-attached-user-policies --user-name john.doe
{
    "AttachedPolicies": [
        {
            "PolicyName": "ElasticLoadBalancingFullAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/ElasticLoadBalancingFullAccess"
        },
        {
            "PolicyName": "AmazonS3FullAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess"
        }
    ]
}

 

One option would be to use the aws iam attach-user-policy command to attach a policy john.doe.

aws iam attach-user-policy --user-name john.doe --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

 

Or, perhaps it makes sense to use the aws iam create-role command to create a role.

aws iam create-role --role-name my-role --assume-role-policy-document file://my.json

 

And then use the aws iam attach-role-policy command to the role.

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess --role-name my-role

 

And then update your ~/.aws/config file with a profile that contains the Amazon Resource Number (ARN) of my-role. This assumes that profile "staging" exists in ~/.aws/credentials.

[profile assume_my_role]
role_arn = arn:aws:iam::123456789012:role/my-role
source_profile = staging
region = us-east-1
output = json

 

Now, john.doe should be able to use the aws s3api list-buckets command with --profile assume_my_role instead of --profile johndoe so that john.doe switches to my-role, which has the ReadOnlyAccess policy.

~]$ aws s3api list-buckets --profile johndoe
{
    "Buckets": [
        {
            "Name": "my-bucket-abcdefg",
            "CreationDate": "2023-06-02T02:22:19+00:00"
        }
    ],
    "Owner": {
        "DisplayName": "jane.doe",
        "ID": "ab0e0123456789103a77c82240d5c1234567891cc325c65b5c77712345643743"
    }
}

 

 

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter c52a82 in the box below so that we can be sure you are a human.