AWS allows you to assume roles in other AWS accounts. Its a nice feature that allows you to log into 1 account, assume a role in another account, and issue API commands as if you had signed into the 2nd account. You can have all users sign into 1 central account, then assume roles into other accounts based on a job role. Using the AWS gui, this is a few mouse clicks, but here I’ll show you how to assume a role using BOTO3.
import boto3 # Create session using your current creds boto_sts=boto3.client('sts') # Request to assume the role like this, the ARN is the Role's ARN from # the other account you wish to assume. Not your current ARN. stsresponse = boto_sts.assume_role( RoleArn="OtherAccountARNGoesHere", RoleSessionName='newsession' ) # Save the details from assumed role into vars newsession_id = stsresponse["Credentials"]["AccessKeyId"] newsession_key = stsresponse["Credentials"]["SecretAccessKey"] newsession_token = stsresponse["Credentials"]["SessionToken"] # Use the assumed session vars to create a new boto3 client with the assumed role creds # Here I create an s3 client using the assumed creds. s3_assumed_client = boto3.client( 's3', region_name='us-east-1', aws_access_key_id=newsession_id, aws_secret_access_key=newsession_key, aws_session_token=newsession_token ) # Here I create an s3 resource with the assumed creds s3_assumed_resource = boto3.resource( 's3', region_name='us-east-1', aws_access_key_id=newsession_id, aws_secret_access_key=newsession_key, aws_session_token=newsession_token ) # Now we can use s3_assumed session for calls using the assumed role. # As in this example where I list buckets using the assumed creds response = s3_assumed_client.list_buckets() # Or like this use of the resource to create a bucket object. mybucket = s3_assumed_resource.Bucket('OtherAccountBucket')
That’s it. Happy coding.
There is a minor typo on line 8:
stsresponse = boto_sts_assume_role
it should be:
stsresponse = boto_sts.assume_role
Thank you for catching that. It has been corrected.