How to AWS Assume Role and Then Revert to the Previous Role After

  • Home /
  • Blog Posts /
  • How to AWS Assume Role and then revert to the previous role after

If you need to assume a role in AWS and then revert back to the previous role once complete, you can use the following snippet of code:

# Save original environment variables
ORIGINAL_AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID"
ORIGINAL_AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY"
ORIGINAL_AWS_SESSION_TOKEN="$AWS_SESSION_TOKEN"

# Assume the role and store the output in a variable
assume_role_output=$(aws sts assume-role --role-arn arn:aws:iam::12345678912:role/YourCrossAccountAccessRole --role-session-name "AssumeRoleSession")

# Extract temporary credentials from the assume role output using jq (JSON processor)
export AWS_ACCESS_KEY_ID=$(echo "$assume_role_output" | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo "$assume_role_output" | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo "$assume_role_output" | jq -r '.Credentials.SessionToken')

# Later, if you want to revert back to the original environment variables
# Restore the original environment variables
export AWS_ACCESS_KEY_ID="$ORIGINAL_AWS_ACCESS_KEY_ID"
export AWS_SECRET_ACCESS_KEY="$ORIGINAL_AWS_SECRET_ACCESS_KEY"
export AWS_SESSION_TOKEN="$ORIGINAL_AWS_SESSION_TOKEN"

Understanding the Process

Assuming a role in AWS allows you to temporarily access AWS resources that you wouldn’t have permission to access with your current credentials. After completing your tasks, it’s essential to revert back to your original role for security and access control reasons. This snippet demonstrates how to accomplish that using Bash scripting and the AWS CLI.

Step-by-Step Guide

  1. Save Original Environment Variables: Before assuming the role, it’s crucial to store your original AWS credentials. This ensures you can revert back to them later.
  2. Assume the Role: Use the aws sts assume-role command to assume the desired role. This command returns temporary security credentials that you can use to access AWS resources.
  3. Extract Temporary Credentials: The output of the assume-role command contains temporary credentials. We use jq, a lightweight and flexible command-line JSON processor, to extract these credentials and set them as environment variables.
  4. Reverting to Original Credentials: Once your tasks are complete, you need to revert back to your original credentials. This step restores the environment variables to their original values.

Code Explanation

  • ORIGINAL_AWS_ACCESS_KEY_ID, ORIGINAL_AWS_SECRET_ACCESS_KEY, ORIGINAL_AWS_SESSION_TOKEN: These variables store your original AWS credentials.
  • assume_role_output: This variable stores the output of the aws sts assume-role command.
  • jq -r: The -r flag in jq ensures that the output is raw text, making it suitable for assignment to variables. export AWS_ACCESS_KEY_ID, export AWS_SECRET_ACCESS_KEY, export AWS_SESSION_TOKEN: These commands set the temporary credentials obtained from assuming the role as environment variables. These variables are used by the AWS CLI to authenticate requests.

In closing

By following this guide and using the provided Bash script, you can seamlessly assume a role in AWS, complete your tasks, and then revert back to your original role. This ensures security and compliance while enabling necessary access to AWS resources.