SAML.to
Search
⌃K

AWS CLI

The AWS CLI has various methods for using an AWS Token on a system, wether it be in on a Developer System, or CI/CD (such as GitHub Actions).

Using Environment Variables

In an Interactive Terminal (e.g. Developer Laptop)
Add the --headless flag to the saml-to assume command in a subshell $(...)
$(saml-to assume the-role-name --headless)
aws sts get-caller-identity # (optional, shows the identity that is now assumed)
aws ec2 describe-instances # (or whatever AWS CLI command desired)
In GitHub Actions
In the Workflow YAML, use provide the Repository Secret (automatically generated using ${{ secrets.GITHUB_TOKEN }} and the Assume AWS Role Action
steps:
- uses: saml-to/[email protected]
with:
role: arn:aws:iam::123456789012:role/admin
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: aws sts get-caller-identity # (optional, shows the identity that is now assumed)
- run: aws ec2 describe-instances # (or whatever AWS CLI command desired)

Using Profiles

In an Interactive Terminal (e.g. Developer Laptop)
Add the --save flag to the saml-to assume command
saml-to assume the-role-name --save
aws sts get-caller-identity --profile the-role-name
aws ec2 describe-instances --profile the-role-name
In GitHub Actions
Add the profile: option to the Assume AWS Role Action
steps:
- uses: saml-to/[email protected]
with:
role: arn:aws:iam::123456789012:role/admin
profile: the-profile-name
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: aws sts get-caller-identity # (optional, shows the identity that is now assumed)
- run: aws ec2 describe-instances # (or whatever AWS CLI command desired)

Named Profiles

Named Profiles are useful if you need to access multiple AWS accounts or Roles in the same session
In an Interactive Terminal (e.g. Developer Laptop)
saml-to assume the-role-name --save role1
saml-to assume another-role-name --save role2
aws sts get-caller-identity --profile role1
aws sts get-caller-identity --profile role2
aws ec2 describe-instances --profile role1
aws ec2 describe-instances --profile role2
In GitHub Actions
steps:
- uses: saml-to/[email protected]
with:
role: arn:aws:iam::123456789012:role/some-role
profile: role1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: saml-to/[email protected]
with:
role: arn:aws:iam::123456789012:role/another-role
profile: role2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: aws sts get-caller-identity --profile role1
- run: aws sts get-caller-identity --profile role2