AWS stscreds SDK to refresh credentials for cross account assume roles

Question

I have setup cross account reading kinesis stream, but i get security token expired error when kinesis client is reading records. I used sts assume role to assume roleA in accountA, then use roleA credentials to assume roleB, lastly return the kinesis client, so there is no refresh feature applied to it and the client will expire in 1 hr by default. I looked up the stscreds AssumeRoleProvider and the doc says it will refresh the credentials. But i have no idea on how to refresh the first credential for assumed roleA then refresh the second credential for assumed roleB. Or is it better to call the method to reinitialize the kinesis client?

Here is the code block.

    cfg, err := config.LoadDefaultConfig(
        context.TODO(),
        config.WithRegion("us-west-2"),
    )

    if err != nil {
        return nil, err
    }

    stsclient := sts.NewFromConfig(cfg)

    assumingcnf, err := config.LoadDefaultConfig(
        context.TODO(),
        config.WithRegion("us-west-2"),
        config.WithCredentialsProvider(aws.NewCredentialsCache(
            stscreds.NewAssumeRoleProvider(
                stsclient,
                roleToAssumeArn1,
            )),
        ),
    )
    if err != nil {
        return nil, err
    }

    stsclient = sts.NewFromConfig(assumingcnf)

    cnf, err := config.LoadDefaultConfig(
        context.TODO(),
        config.WithRegion("us-west-2"),
        config.WithCredentialsProvider(aws.NewCredentialsCache(
            stscreds.NewAssumeRoleProvider(
                stsclient,
                roleToAssumeArn2,
            )),
        ),
    )
    if err != nil {
        return nil, err
    }
    kClient := kinesis.NewFromConfig(cnf)
    return kClient

It would be helpful to post your current code so that any answer can show how to adjust your code to get what you need. — Erwin Bolwidt, Oct 05 '22 at 04:22
Please provide enough code so others can better understand or reproduce the problem. — Community, Oct 05 '22 at 12:05

Erwin Bolwidt · Accepted Answer · 2022-10-05T04:34:29.833

You should be able to do this with the providers provided by AWS. I'm assuming you're using aws-sdk-go-v2.

This would make the resulting CredentialsProvider return the cached credentials until they expire; then it will call provider2, which uses sts2 to get new credentials for roleB, and sts2 will always first call provider1 first to get new credentials for roleA.

func createProvider(cfg aws.Config) aws.CredentialsProvider {
    sts1 := sts.NewFromConfig(cfg)
    provider1 := stscreds.NewAssumeRoleProvider(sts1, "roleA")
    sts2 := sts.NewFromConfig(cfg, func (o *sts.Options) { o.Credentials = provider1 })
    provider2 := stscreds.NewAssumeRoleProvider(sts2, "roleB")
    return aws.NewCredentialsCache(provider2)
}

am i going to apply the returned result to the default cfg? Does it mess up the default role we are using? — Luki Hou, Oct 05 '22 at 18:59

AWS stscreds SDK to refresh credentials for cross account assume roles

1 Answers1