1

This is not a duplicate. I have searched and could not find an exact match for this.

I have Python code running on my local machine.

I want to connect to AWS for the purpose of pulling a secret from AWS Secrets Management

On my local machine $HOME/.aws/config file, I have a profile configured.

[profile my-profile]
...

The profile is setup with the region, AWS account ID etc.

This is a known working profile that will connect to AWS.

I have configured an AWS IAM Role that is configured to restrict access to a secret stored in AWS Secrets.

On my local machine, in python code, I want to create a boto3 session and client that will:

  1. use the AWS local profile settings to connect to AWS
  2. and connect assuming the IAM role

so I can then pull the secret.

How do I create this boto3 session / client with this criteria?

I am not finding documentation on how to use both (local AWS profile by name and also assume AWS IAM role) for the specific purpose of pulling from AWS Secrets Management.

If anyone has actually done this, it would be greatly appreciated if code could be shared.

I have pulling a secret not assuming the role working fine on pulling a secret that is not restricted by a role.

Now I have created another secret restricted by a role and I cannot get this to work.

user10664542
  • 1,106
  • 1
  • 23
  • 43
  • You talk about assuming role, do you mean an actual `aws sts assume-role` call? – luk2302 Nov 08 '22 at 11:14
  • Does this answer your question? [How to choose an AWS profile when using boto3 to connect to CloudFront](https://stackoverflow.com/questions/33378422/how-to-choose-an-aws-profile-when-using-boto3-to-connect-to-cloudfront) – luk2302 Nov 08 '22 at 11:14
  • And then [AWS: Boto3: AssumeRole example which includes role usage](https://stackoverflow.com/questions/44171849/aws-boto3-assumerole-example-which-includes-role-usage) if you actually talk about assuming other roles. – luk2302 Nov 08 '22 at 11:14
  • Thank you, but **none** of these help answer the question. I need to use 1. a local named AWS profile 2. AND also assume an AWS IAM role to access AWS secrets. – user10664542 Nov 08 '22 at 11:24
  • Then the two answers answer that perfectly, the first tells you how to use a profile, the second one tells you how to assume a role. Not sure what the problem is. – luk2302 Nov 08 '22 at 11:31
  • @luk2302 - It shows how to use them seperately. It does not show how to use them together in one unified session and client. Neither are a solution that get me there. challenge: If you think it works, code it up and try. Just do it. Apparently this is a big hole in boto3 and it's not possible. – user10664542 Nov 08 '22 at 17:20
  • You seem to not understand how boto (sessions / credentials) works. You have one session based on the profile (or ANYTHING else (ec2 metadata / access+secret, ...), does not matter a single bit), then call `assume-role` with that session, get credentials and create a new session object based on those credentials. And then you use that new session for whatever. That is how sessions work and how they are supposed to work. – luk2302 Nov 08 '22 at 17:24
  • right, you are right. I don't understand how sessions and credentials work. That's why I am posting here asking the question. If you do, then please provide an actual working example to educate. I do not understand why I need to 'get credentials' when the credentials are provided in the local profile in $HOME/.aws/config and $HOME/.aws/credentials - that makes no sense to me if it is provided in the session by providing the profile name. And if I already have a session with credentials, why do I need to create another session (with credentials), as you are suggesting here. Code talks – user10664542 Nov 08 '22 at 20:48
  • Actually, there's an easier way to do this: [Boto3: How to assume IAM Role to access other account](https://stackoverflow.com/a/71359754/174777) – John Rotenstein Nov 08 '22 at 23:01

1 Answers1

-1

To call AssumeRole(), you first need a set of credentials that have permission to call AssumeRole. These credentials will come from your ~/.aws/credentials file (optionally using a specific profile).

In response to an AssumeRole() call, AWS will return:

{
    'Credentials': {
        'AccessKeyId': 'string',
        'SecretAccessKey': 'string',
        'SessionToken': 'string',
        'Expiration': datetime(2015, 1, 1)
    },
    'AssumedRoleUser': {
        'AssumedRoleId': 'string',
        'Arn': 'string'
    },
    'PackedPolicySize': 123,
    'SourceIdentity': 'string'
}

This includes a different set of credentials that are associated with the IAM Role (instead of your IAM User). You must then use these credentials when making an API call 'as the assumed role'.

Think of it as entering a house with a front-door key then going to a table and picking up a car key. You can use the car key to drive the car that is outside the house, but you can't drive the car with the house key you used to enter the house.

  • House key = Your IAM User credentials
  • Picking up a Car key = Calling AssumeRole() and getting a new set of credentials (a new key)

You need to use the second set of credentials to drive the car.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • This piece of information is helpful. I am still in need of boto3 code that will accomplish the task. Thank you. – user10664542 Nov 08 '22 at 22:09
  • Actually, there's an easier way to do this: [Boto3: How to assume IAM Role to access other account](https://stackoverflow.com/a/71359754/174777) – John Rotenstein Nov 08 '22 at 23:01