I tried to use the role as:
~/.aws/credentials
[default]
role_arn=arn:aws:iam::xxxxxxx:role/yyyy
but i get error:
Partial credentials found in assume-role, missing: source_profile or credential_source
so it seems IAM role cannot replace
[default]
aws_access_key_id = AAAAAAAAAAAAAAAAAAAAAAAA
aws_secret_access_key = BBBBBBBBBBBBBBBBBBBBBBBBBBB
since as per http://boto3.readthedocs.io/en/latest/guide/configuration.html
# In ~/.aws/credentials:
[development]
aws_access_key_id=foo
aws_access_key_id=bar
# In ~/.aws/config
[profile crossaccount]
role_arn=arn:aws:iam:...
source_profile=development
I would still have to use keys, which could be a security risk, even though not being used in the code
Is there a way to use boto3 with admin privileges without using aws API credentials?
so basically:
- Associate "admin" role to the ec2 instance, which you are going to use to run your boto3 scripts
- Make sure it looks good.
$curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
test boto3 script
#!/usr/bin/env python import boto3
ec2_client = boto3.client('ec2')
def main(): vpcs = ec2_client.describe_vpcs() for vpc_info in vpcs['Vpcs']: print(vpc_info['VpcId'])
if name == "main": main()
I came across an Application on github which addresses this issue: