How to assume role which is passed from a aws config Rule in python

Question

I am trying to centrally manage the lambda function for the custom config rule which is running in the child account. The lambda function will assume role which is passed to the config rule as a parameter.

I am following How to Centrally Manage AWS Config Rules across Multiple AWS Accounts | AWS DevOps Blog.

It is mentioned doing this:

// Assume the role passed from the managed-account

aws.config.credentials = new aws.TemporaryCredentials({RoleArn: ruleParameters.executionRole});
let config = new aws.ConfigService({});

How to do in Python?

Answer 1

I went through the blog that you have shared and according to the blog, when you create the config rule in the managed account, you have to pass the executionRole as a parameter.

• In case you dont know what is the executionRole, it is the role that is created in step 3 in the managed account that can be assumed by the role/lambda_config_role in the admin account.
• role/lambda_config_role is the role that you assign to the lambda function in the parent account.

As per the blog:

1. Create a role A in the admin account.
2. Create a role B in the managed account.
3. Add role A as a trusted entity to role B.
4. Pass Role B as a parameter to the Lambda function while creating the config rule. (this can be done as explained in step 5 of the blog.)
5. Use the role parameter in your python code in admin account. Since you have allowed role A to assume role B, role A has necessary permissions to create temporary credentials and use them.