39
votes

Using the AWS SDK for JavaScript, I want to use a default profile that assumes the a role. This works perfectly with the AWS CLI. Using node.js with the SDK does not assume the role, but only uses credentials to the AWS account that the access key belongs to. I've found this documentation but it does not deal with assuming a role: http://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-node-credentials-shared.html

Any tips?

This is my config file:

[default]
role_arn = arn:aws:iam::123456789:role/Developer
source_profile = default
output = json
region = us-east-1
4
Did you ever find an answer to this? โ€“ El Chapitan
No, and I see the same problem using Python and Boto3 SDK. โ€“ Anders Lundsgard
As far as I'm aware, the node.js client doesn't automatically assume roles. If you want to assume those roles, you have to do it manually. โ€“ El Chapitan

4 Answers

60
votes

The right way to use multiple cross account roles in the code:

Get the credentials for the cross account role with sts and use those credentials every time you need to get a service authenticated with that specific cross account role.

Example:

Create a function to get the cross account credentials like:

const AWS = require('aws-sdk');
const sts = new AWS.STS();

const getCrossAccountCredentials = async () => {
  return new Promise((resolve, reject) => {
    const timestamp = (new Date()).getTime();
    const params = {
      RoleArn: 'arn:aws:iam::123456789:role/Developer',
      RoleSessionName: `be-descriptibe-here-${timestamp}`
    };
    sts.assumeRole(params, (err, data) => {
      if (err) reject(err);
      else {
        resolve({
          accessKeyId: data.Credentials.AccessKeyId,
          secretAccessKey: data.Credentials.SecretAccessKey,
          sessionToken: data.Credentials.SessionToken,
        });
      }
    });
  });
}

And then you can use it without problems like:

const main = async () => {
  // Get the Cross account credentials
  const accessparams = await getCrossAccountCredentials();
  // Get the ec2 service for current account
  const ec2 = new AWS.EC2();
  // Get the ec2 service for cross account role
  const ca_ec2 = new AWS.EC2(accessparams);
  // Get the autoscaling service for current account
  const autoscaling = new AWS.AutoScaling();
  // Get the autoscaling service for cross account role
  const ca_autoscaling = new AWS.AutoScaling(accessparams);

  // This will describe instances within the cross account role
  ca_ec2.describeInstances(...) 

  // This will describe instances within the original account
  ec2.describeInstances(...)

  // Here you can access both accounts without issues.
}

Benefits:

  • Does not change the credentials globally, so you can still target your own AWS account without having to backup the credentials in advance to restore it.
  • Allows to control exactly what account you're targeting in every moment.
  • Allows to handle multiple cross account roles and services.

The wrong way:

DO NOT USE AWS.config.update to override the global credentials AWS.config.credentials!!!

Override the global credentials is a bad practice!! This is same situation as @Brant's approved solution here but it is no good solution! Here is why:

const main = async () => {
  // Get the Cross account credentials
  const accessparams = await getCrossAccountCredentials();

  // Get the ec2 service for current account
  const ec2 = new AWS.EC2();

  // Overwrite the AWS credentials with cross account credentilas
  AWS.config.update(accessparams);

  // Get the ec2 service for cross account role
  const ca_ec2 = new AWS.EC2();

  // This will describe instances within the cross account role
  ca_ec2.describeInstances(...) 

  // This will ALSO describe instances within the cross account role
  ec2.describeInstances(...)

  // WARNING: Here you only will access the cross account role. You may get
  // confused on what you're accessing!!!
}

Issues:

  • Updating global AWS.config.credentials directly or by AWS.config.update, will override current credentials.
  • Everything will point to that cross account role, even future service calls that you may not expect.
  • To switch back to first account you may need to temporary backup AWS.config.credentials and update it again to restore it. It is hard to control when you use each account, it is hard to trace execution context, and easy to mess up by targeting the wrong account.

Again, DO NOT USE AWS.config.update to override the global credentials AWS.config.credentials!!!

If you need to run the code entirely in another account:

If you need to execute your code entirely for another account without switching between credentials. You can follow the advice from @Kanak Singhal and store the role_arn in the config file and add AWS_SDK_LOAD_CONFIG="true" to the environment variable along with AWS_PROFILE="assume-role-profile".

42
votes

Found the correct way to do it! Check out this PR: https://github.com/aws/aws-sdk-js/pull/1391

Just had to add AWS_SDK_LOAD_CONFIG="true" to the environment variable along with AWS_PROFILE="assume-role-profile"

So it doesnโ€™t require any code update ๐Ÿ˜…

This is because, the SDK only loads credentials file by default, not the config file, but since AWS role_arn is stored in the config file, we must enable loading the config file as well.

30
votes

The CLI and SDK work differently, in that you must explicitly assume the role when using the SDK. The SDK doesn't automatically assume the role from the config as the CLI does.

After the role is assumed, the AWS.config must be updated with the new credentials.

This works for me:

var AWS = require('aws-sdk');
AWS.config.region = 'us-east-1';

var sts = new AWS.STS();
sts.assumeRole({
  RoleArn: 'arn:aws:iam::123456789:role/Developer',
  RoleSessionName: 'awssdk'
}, function(err, data) {
  if (err) { // an error occurred
    console.log('Cannot assume role');
    console.log(err, err.stack);
  } else { // successful response
    AWS.config.update({
      accessKeyId: data.Credentials.AccessKeyId,
      secretAccessKey: data.Credentials.SecretAccessKey,
      sessionToken: data.Credentials.SessionToken
    });
  }
});
1
votes

A bit late to the party, but now the simplest way is probably to use the AWS.ChainableTemporaryCredentials

It refreshes the credentials automatically as well as being chainable in many layers

https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/ChainableTemporaryCredentials.html

Me myself found this question when I wanted to run with an assumed role, so guess it still have some SEO power!