AWS allows you to assume roles in other AWS accounts. Its a nice feature that allows you to log into 1 account, assume a role in another account, and issue API commands as if you had signed into the 2nd account. You can have all users sign into 1 central account, then assume roles into other accounts based on a job role. Using the AWS gui, this is a few mouse clicks, but here I’ll show you how to assume a role using BOTO3.
import boto3
# Create session using your current creds
boto_sts=boto3.client('sts')
# Request to assume the role like this, the ARN is the Role's ARN from
# the other account you wish to assume. Not your current ARN.
stsresponse = boto_sts.assume_role(
RoleArn="OtherAccountARNGoesHere",
RoleSessionName='newsession'
)
# Save the details from assumed role into vars
newsession_id = stsresponse["Credentials"]["AccessKeyId"]
newsession_key = stsresponse["Credentials"]["SecretAccessKey"]
newsession_token = stsresponse["Credentials"]["SessionToken"]
# Use the assumed session vars to create a new boto3 client with the assumed role creds
# Here I create an s3 client using the assumed creds.
s3_assumed_client = boto3.client(
's3',
region_name='us-east-1',
aws_access_key_id=newsession_id,
aws_secret_access_key=newsession_key,
aws_session_token=newsession_token
)
# Here I create an s3 resource with the assumed creds
s3_assumed_resource = boto3.resource(
's3',
region_name='us-east-1',
aws_access_key_id=newsession_id,
aws_secret_access_key=newsession_key,
aws_session_token=newsession_token
)
# Now we can use s3_assumed session for calls using the assumed role.
# As in this example where I list buckets using the assumed creds
response = s3_assumed_client.list_buckets()
# Or like this use of the resource to create a bucket object.
mybucket = s3_assumed_resource.Bucket('OtherAccountBucket')
That’s it. Happy coding.
There is a minor typo on line 8:
stsresponse = boto_sts_assume_role
it should be:
stsresponse = boto_sts.assume_role
Thank you for catching that. It has been corrected.
Hi,
I am new to aws and python. Apologise for if this sound basic question.
Can you please elaborate on how to Save the details from assumed role into vars. I used above code, entered assume role arns, region and bucket name. When i run the code i am getting Access denied message.
I feel i am missing on providing some key information but unable to figure it out. Can you please help me.
Thanks,
Meg
Depends on the error and what is throwing it. Your Access Denied could be related to trying to assume the role. Maybe your creds don’t allow you to assume a role. Make sure that you can do this in the GUI to eliminate any AWS config errors first.