aws sts assume-role returns credentials in Json-format. Is there an easy way (like putting them in environment variables) so that subsequent calls to aws can use them?
Basically, I want something like sudo -i for AWS.
Note: I am currently doing this on my laptop with current credentials in env-variables, but it would be nice if the solution also worked on EC2 instances where the original role credentials come from instance-metadata.
Instead of calling the sts assume-role command explicitly, you can configure a profile that assumes a specific role which is then cached in the CLI. This is well documented, but you basically just set it up as an ordinary profile in your ~/aws/config file, like this:
[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadmin
source_profile = default
If you enforce MFA when assuming a role (which I strongly recommend that you do), it would look something like this:
[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadmin
source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/jonsmith
To use the role you set up, you either provide the --profile CLI option or make sure to set the AWS_PROFILE environment variable with the profile name.
You could of course also call the sts assume-role command explicitly, then you would need to parse out the appropriate values and put them in to the following environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN.
