This article will show you how to assume a role and perform aws-cli commands in one account after authenticating via a user in a trusted account (Identity Account pattern).

This article is the third and final in a series of instructional posts regarding the aws-vault tool. If you haven’t already, please see the first which describes manage AWS credentials securely and the second which describes configuring and assuming a role in a single AWS account.

Step-by-step guide

  1. The goal of this example is to execute a command in a functional, production account using the trusted credentials of non-functional, identity account.
  2. Begin by adding each account and it’s appropriate credentials to aws-vault. Instructions for this step can be found in how-to manage credentials for an AWS account beginning on Step 5.
  3. Listing your aws-vault profiles should reveal that each profile has it’s own credentials.
    $ aws-vault list
    Profile              Credentials             Sessions
    =======              ===========             ========
    production           production
    identity             identity
  4. Execute the following two commands using the names of your own profiles to verify that each account is currently independent:
    $ aws-vault exec production -- aws s3 ls
    Enter passphrase to unlock /path/to/.awsvault/keys/: <passphrase>
    <production account s3 buckets>
    
    $ aws-vault exec identity -- aws s3 ls
    Enter passphrase to unlock /path/to/.awsvault/keys/: <passphrase>
    <identity account s3 buckets>
  5. Edit your ~/.aws/config file so that the production profile can assume the role of the identity account.
    • Add source_profile=identity under [profile production]
    • Add a role_arn entry specifying the ARN of the role you would like to assume, the example below will assume the ‘appeng’ role in account ‘123456789’
      [profile production]
      source_profile=identity
      role_arn=arn:aws:iam::123456789:role/appeng
      
      [profile identity]
  6. The aws-vault list command will reveal that the production profile is now using the identity credentials.
  7. $ aws-vault list
    Profile              Credentials             Sessions
    =======              ===========             ========
    production           identity
    identity             identity
  8. Finally, rerun the same commands from Step 4 to verify that the output is the same. The significant difference is that the production profile now assumes the role via the trusted identity account when running the aws s3 ls command.