Configuring the AWS CLI to assume a role
At this point, the AWS CLI is running in the context of your user account and you need to configure the CLI to assume the admin role to be able to do anything useful.
When you run the aws configure command, the AWS CLI creates two important files in a folder called .aws within your home directory:
> ls -l ~/.aws
total 16
-rw------- 1 jmenga staff 29 23 Jun 19:31 config
-rw------- 1 jmenga staff 116 23 Jun 19:31 credentials
The credentials file holds your AWS credentials in one or more named profiles:
> cat ~/.aws/credentials
[default]
aws_access_key_id = AKIAJXNI5XLCSBRQAZCA
aws_secret_access_key = d52AhBOlXl56Lgt/MYc9V0Ag6nb81nMF+VIMg0Lr
In the preceding code, notice that the aws configure command created a profile called default and stored the access key ID and secret access key values in this file. As a best practice, particularly if you are working with multiple AWS accounts, I recommend avoiding the use of the default profile, as the AWS CLI will use this profile by default if you enter an AWS CLI command. You will soon learn how to work with multiple AWS accounts by using named profiles, and if you have a default profile, it is very easy to accidentally forget to specify the profile you want to work with and accidentally perform an unexpected operation in the account reference by your default profile. I prefer to name each profile based upon the name of the account you are working with—for example, here, I have renamed the default profile in the credentials file to docker-in-aws, given I named my AWS account docker-in-aws:
[docker-in-aws]
aws_access_key_id = AKIAJXNI5XLCSBRQAZCA
aws_secret_access_key = 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
The other file that is created by the AWS CLI is the ~/.aws/config file, which is demonstrated as follows:
[default]
region = us-east-1
This file includes named configuration profiles, and because you specified a default region when you ran the aws configure command, a region variable has been added to the default profile. Configuration profiles support a number of variables that allow you to perform more advanced tasks like automatically assuming a role, so this is where we need to configure the CLI to assume the admin role we created earlier in this chapter. Given that we renamed the default profile in the credentials file, the following code demonstrates renaming the default profile to docker-in-aws and adding support for assuming the admin role:
[profile docker-in-aws]
source_profile = docker-in-aws
role_arn = arn:aws:iam::385605022855:role/admin
role_session_name=justin.menga
mfa_serial = arn:aws:iam::385605022855:mfa/justin.menga
region = us-east-1
Notice that we add the profile keyword in front of the profile name, which is required when configuring named configuration profiles. We also configure a number of variables in the profile:
- source_profile: This is the credential profile that should be used to obtain credentials. We specify docker-in-aws, given that we renamed the profile in the credentials file earlier to docker-in-aws.
- role_arn: This is the ARN of the IAM role to assume. Here, you specify the ARN of the admin role you created in the previous screenshot.
- role_session_name: This is the name of the temporary session that is created when you assume the configured role. As a best practice, you should specify your IAM username, as this helps with auditing any actions that you perform using the role. When you use an assumed role to perform an action in AWS, your identity is actually arn:aws:sts::<account-id>:assumed-role/<role-name>/<role-session-name>, so setting a username as the role session name ensures the user that performed the operation can be easily determined.
- mfa_serial: This is the ARN of the MFA device that should be used to assume the role. Given your IAM user belongs to the Users group, MFA is required for all actions, including any API calls made via the AWS CLI or SDK. By configuring this variable, the AWS CLI will automatically prompt you for an MFA code before attempting to assume the configured role. You can obtain the ARN of your MFA device in the Security credentials tab of your IAM user account (see the Assigned MFA device field, however it will always follow a naming convention of arn:aws:iam::<account-id>:mfa/<user-id>.