AWS CLI

The AWS CLI has various methods for using an AWS Token on a system, wether it be in on a Developer System, or CI/CD (such as GitHub Actions).

Using Environment Variables

In an Interactive Terminal (e.g. Developer Laptop)

Add the --headless flag to the saml-to assume command in a subshell $(...)

$(saml-to assume the-role-name --headless)
aws sts get-caller-identity # (optional, shows the identity that is now assumed)
aws ec2 describe-instances # (or whatever AWS CLI command desired)
In GitHub Actions

In the Workflow YAML, use provide the Repository Secret (automatically generated using ${{ secrets.GITHUB_TOKEN }} and the Assume AWS Role Action

steps:
  - uses: saml-to/assume-aws-role-action@v1
    with:
      role: arn:aws:iam::123456789012:role/admin
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  - run: aws sts get-caller-identity # (optional, shows the identity that is now assumed)
  - run: aws ec2 describe-instances # (or whatever AWS CLI command desired)

Using Profiles

In an Interactive Terminal (e.g. Developer Laptop)

Add the --save flag to the saml-to assume command

saml-to assume the-role-name --save
aws sts get-caller-identity --profile the-role-name
aws ec2 describe-instances --profile the-role-name
In GitHub Actions

Add the profile: option to the Assume AWS Role Action

steps:
  - uses: saml-to/assume-aws-role-action@v1
    with:
      role: arn:aws:iam::123456789012:role/admin
      profile: the-profile-name
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  - run: aws sts get-caller-identity # (optional, shows the identity that is now assumed)
  - run: aws ec2 describe-instances # (or whatever AWS CLI command desired)

Named Profiles

Named Profiles are useful if you need to access multiple AWS accounts or Roles in the same session

In an Interactive Terminal (e.g. Developer Laptop)
In GitHub Actions
PreviousAssuming RolesNextAWS SDKs

Last updated