AWS CLI
The AWS CLI has various methods for using an AWS Token on a system, wether it be in on a Developer System, or CI/CD (such as GitHub Actions).
Add the
--headless
flag to the saml-to assume
command in a subshell $(...)
$(saml-to assume the-role-name --headless)
aws sts get-caller-identity # (optional, shows the identity that is now assumed)
aws ec2 describe-instances # (or whatever AWS CLI command desired)
In the Workflow YAML, use provide the Repository Secret (automatically generated using
${{ secrets.GITHUB_TOKEN }}
and the Assume AWS Role Actionsteps:
- uses: saml-to/[email protected]
with:
role: arn:aws:iam::123456789012:role/admin
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: aws sts get-caller-identity # (optional, shows the identity that is now assumed)
- run: aws ec2 describe-instances # (or whatever AWS CLI command desired)
steps:
- uses: saml-to/[email protected]
with:
role: arn:aws:iam::123456789012:role/admin
profile: the-profile-name
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: aws sts get-caller-identity # (optional, shows the identity that is now assumed)
- run: aws ec2 describe-instances # (or whatever AWS CLI command desired)
Named Profiles are useful if you need to access multiple AWS accounts or Roles in the same session
saml-to assume the-role-name --save role1
saml-to assume another-role-name --save role2
aws sts get-caller-identity --profile role1
aws sts get-caller-identity --profile role2
aws ec2 describe-instances --profile role1
aws ec2 describe-instances --profile role2
steps:
- uses: saml-to/[email protected]
with:
role: arn:aws:iam::123456789012:role/some-role
profile: role1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: saml-to/[email protected]
with:
role: arn:aws:iam::123456789012:role/another-role
profile: role2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: aws sts get-caller-identity --profile role1
- run: aws sts get-caller-identity --profile role2
Last modified 6mo ago