• Recent blogs

    Simplified Guide: Assuming an IAM Role using the AWS CLI


    AWS Identity and Access Management (IAM) roles play a vital role in securely managing access to various AWS resources. As an AWS CLI user, assuming an IAM role allows you to switch from your current identity to a different role, granting you specific permissions and access rights. In this blog post, we will explore how you can assume an IAM role using the AWS Command Line Interface (CLI), making it easier for you to manage and interact with your AWS resources.


    To follow along with the steps in this guide, ensure you have the following prerequisites:

    1. AWS CLI installed and configured on your local machine.

    2. An existing IAM role with the necessary permissions you wish to assume.

    Step 1: Understand the IAM Role

    Before assuming an IAM role, it's crucial to have a clear understanding of the role's purpose, permissions, and the AWS accounts or entities it can be assumed by. Review the documentation or consult with your AWS administrator to gather the necessary information.

    Step 2: Retrieve the Role's ARN

    To assume an IAM role, you need to know its Amazon Resource Name (ARN). The ARN uniquely identifies the role within your AWS account. You can obtain the ARN using the AWS Management Console, AWS CLI, or SDKs. In this example, we will use the AWS CLI.

    Open your terminal or command prompt and execute the following command, replacing `your-role-name` with the actual name of the role:

    aws iam get-role --role-name your-role-name

    The output will include the role's details, including the ARN. Note down the ARN for the next step.

    Step 3: Assume the IAM Role

    Now that you have the ARN of the IAM role, you can assume it using the AWS CLI. The `aws sts assume-role` command allows you to request temporary security credentials associated with the IAM role.

    Execute the following command, replacing `your-role-arn` with the ARN of the role:

    aws sts assume-role --role-arn your-role-arn --role-session-name your-session-name

    The `--role-session-name` parameter specifies a name for the session, which helps identify it in logs and other tracking mechanisms. Replace `your-session-name` with a descriptive name for your session.

    If successful, the command will return a set of temporary security credentials, including an access key, secret access key, and session token. These credentials are valid for a specified duration (typically one hour).

    Step 4: Configure the Assumed Role Credentials

    To utilize the assumed role, you need to configure your AWS CLI with the temporary security credentials returned in the previous step.

    Execute the following commands to configure the assumed role credentials:

    aws configure set aws_access_key_id YOUR_ACCESS_KEY

    aws configure set aws_secret_access_key YOUR_SECRET_ACCESS_KEY

    aws configure set aws_session_token YOUR_SESSION_TOKEN

    Replace `YOUR_ACCESS_KEY`, `YOUR_SECRET_ACCESS_KEY`, and `YOUR_SESSION_TOKEN` with the values obtained from the `aws sts assume-role` command.

    Step 5: Validate the Assumed Role

    To ensure that you have successfully assumed the IAM role, you can use the AWS CLI to perform an operation that requires the permissions associated with the assumed role.

    For example, you can list the contents of an S3 bucket:

    aws s3 ls s3://your-bucket-name

    Replace `your-bucket-name` with the name of an S3 bucket accessible by the assumed role.

    If you receive a successful response without any permission errors, it indicates that you have successfully assumed the IAM role.


    Assuming an IAM role using the AWS CLI

    No comments