aws-sdk-perl icon indicating copy to clipboard operation
aws-sdk-perl copied to clipboard

Published 20 hours ago verified publisher icon pplu

Underlying permission to call "Assume Role"?

Open gregorytasonis opened this issue 6 years ago • 5 comments

I'm a bit confused on how to use the "Paws::Credential::AssumeRole" constructor. Where do you specify the permisssions for the underlying IAM object allowed to assume the role in question? USER_1 in account 1 can assume the "DEVELOPER" role in account 2. I create a $paws object with the permissions of USER_1. What does the AssumerRole constructor look like?

gregorytasonis avatar Apr 02 '18 17:04 gregorytasonis

Hi,

Does this help? https://github.com/pplu/aws-sdk-perl/blob/master/examples/cross_account.pl

BTW: the credentials used to call the AssumeRole are the ones you would load by default in Paws (environment, aws credentials file, metadata service, etc).

pplu avatar Apr 03 '18 08:04 pplu

I do not get, how to take "AssumeRole" data from ~/.aws/config.

For aws CLI I have Credntials in ~/.aws/credentials and AssumeRole data in ~/.aws/config.

But I only succeed in letting my script use the credentials. AssumRole data I have to provide in my script like so:

use Paws;
use Paws::Credential::AssumeRole;

my %AssumeRole = (
    RoleSessionName => 'some_name',
    RoleArn         => 'arn:aws:iam::NUMBER:role/RoleName',
    ExternalId      => 'some-uuid-string',
);

my $s3 =
    Paws
    ->new( config => {
        credentials => Paws::Credential::AssumeRole->new( %AssumeRole ),
    })
    ->service('S3',
        region => 'us-east-1',
    )
;

use Data::Dumper;
print Dumper $s3->ListObjectsV2(
    Bucket => 'theBucket',
    Prefix => 'thePrefix',
);

Is there any way I can use the ~/.aws/config file?

Skeeve avatar Apr 06 '21 05:04 Skeeve

Paws traditionally hasn't parsed the ~/.aws/config file, since that is a file for the AWS CLI, and not the AWS SDK. Last time I looked that was the behaviour of botocore.

Building a credential provider on top of the assumerole provider that gets the config for assuming a role from the config file would be a nice thing to have in Paws, or a separate CPAN distro.

@jjatria built a config parser that understands the config file: https://metacpan.org/release/AWS-CLI-Config.

Hope it helps!

pplu avatar Apr 07 '21 21:04 pplu

fttb I will not attempt to implement it but keep the AssumeRolle stuff in my code. I have almost no knowledge about AWS. I just have to consume files provided to me via S3. I just need to get it to work. So: Sorry. I don't feel able to help.

Regarding the distinction between CLI and SDK, I found this when checking out my options for GO: https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specifying-credentials

SDK defaults to config file under .aws folder that is placed in the home folder on your computer.

Skeeve avatar Apr 09 '21 08:04 Skeeve

@jjatria built a config parser that understands the config file

FWIW, https://metacpan.org/pod/Config::AWS is probably the one to use. AWS::CLI::Config was inherited by me, and my plan is to make it use the former under the hood.

jjatria avatar May 12 '21 11:05 jjatria