Never put AWS temporary credentials in the credentials file (or env vars)—there’s a better way

Before you ask: no, stuffing temporary credentials into environment variables is not better.
$ export AWS_ACCESS_KEY_ID=<benk key id>
$ export AWS_SECRET_ACCESS_KEY=<benk secret key>
$ aws sts get-caller-identity
{
"UserId": "AIDA...",
"Account": "111122223333",
"Arn": "arn:aws:iam::111122223333:user/benk"
}
$ export AWS_ACCESS_KEY_ID=<benk key id>
$ export AWS_SECRET_ACCESS_KEY=<benk secret key>
$ aws sts assume-role --role-arn arn:aws:iam::777788889999:role/MyRole --role-session-name ben
{
"Credentials": {
"AccessKeyId": "<MyRole key id>",
"SecretAccessKey": "<MyRole secret key>",
"SessionToken": "<MyRole:ben session token>",
"Expiration": "2021-10-06T20:12:56Z"
},
...
}
$ export AWS_ACCESS_KEY_ID=<MyRole key id>
$ export AWS_SECRET_ACCESS_KEY=<MyRole secret key>
$ export AWS_SESSION_TOKEN=<MyRole:ben session token>
$ aws sts get-caller-identity
{
"UserId": "AROA...:ben",
"Account": "777788889999",
"Arn": "arn:aws:sts::777788889999:assumed-role/MyRole/ben"
}
$ export AWS_ACCESS_KEY_ID=<MyRole key id>
$ export AWS_SECRET_ACCESS_KEY=<MyRole secret key>
$ export AWS_SESSION_TOKEN=<MyRole:ben session token>
$ sleep 3700; aws sts get-caller-identity
An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired
[benk]
aws_access_key_id = <benk key id>
aws_secret_access_key = <benk secret key>
[profile benk]
region = us-east-1
$ aws sts get-caller-identity --profile benk
{
"UserId": "AIDA...",
"Account": "111122223333",
"Arn": "arn:aws:iam::111122223333:user/benk"
}
import argparse, boto3parser = argparse.ArgumentParser()
parser.add_argument('--profile')
# add other arguments
args = parser.parse_args()
session = boto3.Session(profile_name=args.profile)# use session
# e.g., session.client('sts').get_caller_identity()
$ export AWS_PROFILE=benk
$ aws sts get-caller-identity
{
"UserId": "AIDA...",
"Account": "111122223333",
"Arn": "arn:aws:iam::111122223333:user/benk"
}
$ export AWS_PROFILE=""
$ aws sts get-caller-identity --profile benk
The config profile () could not be found
$ export -n AWS_PROFILE
$ aws sts get-caller-identity --profile benk
{
"UserId": "AIDA...",
"Account": "111122223333",
"Arn": "arn:aws:iam::111122223333:user/benk"
}
[profile benk]
region = us-east-1
[profile MyRole]
role_arn = arn:aws:iam::777788889999:role/MyRole
source_profile = benk
region = us-east-1
$ aws sts get-caller-identity --profile benk
{
"UserId": "AIDA...",
"Account": "111122223333",
"Arn": "arn:aws:iam::111122223333:user/benk"
}
$ aws sts get-caller-identity --profile MyRole
{
"UserId": "AROA...:botocore-session-1633547576",
"Account": "777788889999",
"Arn": "arn:aws:sts::777788889999:assumed-role/MyRole/botocore-session-1633547576"
}
import time, boto3session = boto3.Session(profile_name='MyRole')
sts = session.client('sts')
# AssumeRole is called for the first time when the credentials are needed, which is here:
arn = sts.get_caller_identity()['Arn']
assert arn.split('/')[1] == 'MyRole'
# if we make another call to the same or any other AWS API, AssumeRole *will not* be called, because the credentials are still valid
session.client('s3').list_buckets()
# if we wait beyond the session duration, which has a default of 3600 seconds (1 hour), AssumeRole *will* get called again automatically because the credentials have expired
time.sleep(3700)
sts.get_caller_identity()
[profile my-sso-profile]
sso_start_url = https://example.awsapps.com/start
sso_region = us-east-1 # the region AWS SSO is configured in
sso_account_id = 123456789012
sso_role_name = MyRoleName
region = us-east-2 # the region to use for AWS API calls
{
"Version": 1,
"AccessKeyId": "...",
"SecretAccessKey": "...",
"SessionToken": "...",
"Expiration": "<ISO8601 timestamp when the credentials expire>"
}
[profile my-saml-role]
credential_process = saml2aws login --role arn:aws:... --credential-process
region = us-east-1

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store