AWS Config role_arn

[blischalk]

Does Amazonica support utilizing role_arn's from profiles within ~/.aws/config?

In my ~/.aws/config I have a role_arn in a profile declaration that lets me access the api of one account using access/secret keys from another account:

[default]
region = us-east-1
[profile foo]
role_arn = arn:aws:iam::58823005882300:role/Foobar
source_profile = default

From the command line I am able to specify a profile that I would like to utilize like below:

aws route53 list-hosted-zones-by-name --profile foo

This successfully fetches results.

I have tried passing the following combinations as credential maps to list-hosted-zones to attempt to leverage the arn defined within the profile in ~/.aws/config without any luck:

{:profile "foo"}
{:profile "arn:aws:iam::58823005882300:role/Foobar"}
{:role_arn "arn:aws:iam::58823005882300:role/Foobar"}
{:role "arn:aws:iam::58823005882300:role/Foobar"}
{:access-key "aws-access-key"
:secret-key "aws-secret-key"
:profile "arn:aws:iam::58823005882300:role/Foobar"}
{:access-key "aws-access-key"
:secret-key "aws-secret-key"
:profile "foo"})

If this is supported, what would the correct incantation be to leverage the role_arn from the profile in ~/.aws/config?

[mcohen01]

Theoretically this should be supported. And the incantation to choose the profile is passing a map as the first arg to any function, like you had, {:profile "foo"}. Whether or not it's actually supported via the Java SDK for this route 53 call, I don't know. I looked through the Java source and it looks like it is, but I can't really tell. You can prove that the profile key syntax works though pretty easy, if you want to.

[svend]

There is an open issue with the Amazon Java SDK for ~/.aws/config support: https://github.com/aws/aws-sdk-java/issues/803

I got around this by reading the role ARN from an environment variable then calling amazonica.aws.securitytoken/assume-role to get an access key.