aws
AWS_ROLE_ARN env variable doesnt work without setting up config file
Confirm by changing [ ] to [x] below:
- [x] I've gone though the User Guide and the API reference
- [x] I've searched for previous similar issues and didn't find any solution
Issue is about usage on:
- [x] CLI : passing arguments or cli configurations.
Platform/OS/Hardware/Device What are you running the cli on? Windows10Pro V1903
Describe the question
AWS_ROLE_ARN is an environment variable supported by the cli as shown in this doc, but I can't seem to use it purely as an environment variable without having to set up a profile in .aws/config file.
Desired usage:
export AWS_ACCESS_KEY_ID=AKxxxx
export AWS_SECRET_ACCESS_KEY=yyyyy
export AWS_ROLE_ARN= arn:aws:iam::<account_id>:role/<role_name>
What I have to do instead to make it work (with additional settings for ~/.aws/config):
export AWS_ACCESS_KEY_ID=AKxxxx
export AWS_SECRET_ACCESS_KEY=yyyyy
aws configure set role_arn arn:aws:iam::<account_id>:role/<role_name>
aws configure set credential_source Environment
I'm not sure if this is a bug, or that it's just not part of the feature support for AWS_ROLE_ARN. But it will be very useful to be able to set everything in the environment variable without having to touch the file directory. Similar issue has been opened in aws-sdk-go issue #2802
Hi @tbua, thanks for reporting. I believe that this is not currently supported, according to this documentation:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#using-aws-iam-roles
Note that configuration variables for using IAM roles can only be in the AWS CLI config file.
At this time I'm not sure what the restriction is, but I'll find out. I'll also mark this as a documentation issue for the user guide to make it consistent.
The lack of this feature is causing problems for us. Our build job loads the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables, and needs to then assume a role to perform any operations. Since AWS_ROLE_ARN isn't an accepted env var, I had to make a profile that specified the role_arn and credential_source = Environment.
However, the documentation explains that if both AWS_PROFILE and AWS_ACCESS_KEY_ID are set, AWS_PROFILE is completely ignored. https://docs.aws.amazon.com/cli/latest/topic/config-vars.html
If AWS_PROFILE environment variable is set and the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are set, then the credentials provided by AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY will override the credentials located in the profile provided by AWS_PROFILE.
This basically makes specifying credential_source = Environment completely pointless, since my only option is to manually pass --profile=<profile> to every single CLI command. Worse, aws eks update-kubeconfig records the profile as an env var in ~/.kube/config instead of using the --profile option, meaning that kubectl doesn't work at all in this setup.
Please add AWS_ROLE_ARN as an environment variable to fill in the gap, and deprecate credential_source = Environment since it cannot work as expected given the precedence order of env vars.
Hi @rittneje,
Thanks for the feedback. Part of the reason to require it to be in a profile in the configuration is to better support credential chaining (using one role to get access to another account or role). Your use case is noted, so marking this as a feature request.
Making feature that is well documented to actually work is a "feature request"? :)
Hi @stawii ,
Which part of the documentation are you referring to? This specific environment variable (AWS_ROLE_ARN) is only available when assuming a role via the web identity provider, as noted here under "Assume Role with Web Identity":
These environment variables currently apply only to the assume role with web identity provider. They don't apply to the general assume role provider configuration.
It would be a feature request to extend the use of this environment variable. I marked it for documentation to clarify that in other sections. Let me know if this is unclear, thanks!
@kdaily - yeah.. its clear now, somehow I've missed big box with "note" header... it should be named "READ THIS, DUMMY" ;)
So, what I'm currently doing is
export AWS_PROFILE=myscript-12345
aws configure set role_arn arn:aws:iam::12345:role/somerole
aws configure set source_profile default
That kinda sucks, because it modifies the config file for what should just be a one-off thing (hence the myscript prefix). Any hope for actually making this env var work the way someone reasonable would expect (despite the docs providing a warning that it probably doesn't)? :)
