This article will show you how to assume a role and perform aws-cli commands in one account after authenticating via a user in a trusted account (Identity Account pattern).

This article is the third and final in a series of instructional posts regarding the aws-vault tool. If you haven’t already, please see the first which describes manage AWS credentials securely and the second which describes configuring and assuming a role in a single AWS account.

Step-by-step guide

  1. The goal of this example is to execute a command in a functional, production account using the trusted credentials of non-functional, identity account.
  2. Begin by adding each account and it’s appropriate credentials to aws-vault. Instructions for this step can be found in how-to manage credentials for an AWS account beginning on Step 5.
  3. Listing your aws-vault profiles should reveal that each profile has it’s own credentials.
    $ aws-vault list
    Profile              Credentials             Sessions
    =======              ===========             ========
    production           production
    identity             identity
  4. Execute the following two commands using the names of your own profiles to verify that each account is currently independent:
    $ aws-vault exec production -- aws s3 ls
    Enter passphrase to unlock /path/to/.awsvault/keys/: <passphrase>
    <production account s3 buckets>
    
    $ aws-vault exec identity -- aws s3 ls
    Enter passphrase to unlock /path/to/.awsvault/keys/: <passphrase>
    <identity account s3 buckets>
  5. Edit your ~/.aws/config file so that the production profile can assume the role of the identity account.
    • Add source_profile=identity under [profile production]
      [profile production]
      source_profile=identity
      
      [profile identity]
  6. The aws-vault list command will reveal that the production profile is now using the identity credentials.
  7. $ aws-vault list
    Profile              Credentials             Sessions
    =======              ===========             ========
    production           identity
    identity             identity
  8. Finally, rerun the same commands from Step 4 to verify that the output is the same. The significant difference is that the production profile now assumes the role of the trusted identity account.