SAML.to
  • Introduction
  • Installation
  • Configuration
    • Identity Providers
      • GitHub
    • Service Providers
      • AWS (Federated Roles)
        • Assuming Roles
          • AWS CLI
          • AWS SDKs
          • Docker
          • Terraform
          • Kubernetes
        • Adding Users
        • Adding AWS Accounts
        • Adding Roles
        • Roles for GitHub Actions
    • Configuration Reference
      • Substitutions
  • FAQs
  • Usage
    • CLI
      • login
      • assume
      • list-roles
    • GitHub Actions
      • Assume AWS Role Action
      • Config Sync Action
  • Advanced Usage
    • AWS
      • CloudWatch Dashboard Sharing
Powered by GitBook
On this page
  • Using Environment Variables
  • Using Profiles
  • Named Profiles
  1. Configuration
  2. Service Providers
  3. AWS (Federated Roles)
  4. Assuming Roles

AWS CLI

The AWS CLI has various methods for using an AWS Token on a system, wether it be in on a Developer System, or CI/CD (such as GitHub Actions).

Using Environment Variables

In an Interactive Terminal (e.g. Developer Laptop)

Add the --headless flag to the saml-to assume command in a subshell $(...)

$(saml-to assume the-role-name --headless)
aws sts get-caller-identity # (optional, shows the identity that is now assumed)
aws ec2 describe-instances # (or whatever AWS CLI command desired)
In GitHub Actions

In the Workflow YAML, use provide the Repository Secret (automatically generated using ${{ secrets.GITHUB_TOKEN }} and the Assume AWS Role Action

steps:
  - uses: saml-to/assume-aws-role-action@v1
    with:
      role: arn:aws:iam::123456789012:role/admin
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  - run: aws sts get-caller-identity # (optional, shows the identity that is now assumed)
  - run: aws ec2 describe-instances # (or whatever AWS CLI command desired)

Using Profiles

In an Interactive Terminal (e.g. Developer Laptop)

Add the --save flag to the saml-to assume command

saml-to assume the-role-name --save
aws sts get-caller-identity --profile the-role-name
aws ec2 describe-instances --profile the-role-name
In GitHub Actions

Add the profile: option to the Assume AWS Role Action

steps:
  - uses: saml-to/assume-aws-role-action@v1
    with:
      role: arn:aws:iam::123456789012:role/admin
      profile: the-profile-name
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  - run: aws sts get-caller-identity # (optional, shows the identity that is now assumed)
  - run: aws ec2 describe-instances # (or whatever AWS CLI command desired)

Named Profiles

Named Profiles are useful if you need to access multiple AWS accounts or Roles in the same session

In an Interactive Terminal (e.g. Developer Laptop)
saml-to assume the-role-name --save role1
saml-to assume another-role-name --save role2
aws sts get-caller-identity --profile role1
aws sts get-caller-identity --profile role2
aws ec2 describe-instances --profile role1
aws ec2 describe-instances --profile role2
In GitHub Actions
steps:
  - uses: saml-to/assume-aws-role-action@v1
    with:
      role: arn:aws:iam::123456789012:role/some-role
      profile: role1
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  - uses: saml-to/assume-aws-role-action@v1
    with:
      role: arn:aws:iam::123456789012:role/another-role
      profile: role2
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  - run: aws sts get-caller-identity --profile role1
  - run: aws sts get-caller-identity --profile role2
PreviousAssuming RolesNextAWS SDKs

Last updated 2 years ago