aws assume role basics


AWS Assume role allow a principal (an IAM user or role) to temporarily assume a different IAM role and receive temporary credentials (AccessKeyId, SecretAccessKey, SessionToken). You use this when:

  • Accessing another AWS account (cross-account access),

  • Escalating privileges temporarily,

  • Following least privilege principles.

So you need to create a role, define who can assume this newly create role and finally you need to specify what permission tied to it. Otherwise, there's no reason to do this. :) 

In your IAM console, click on Create Role. 


Then select "Custom Trust policy".  

   

Then specify, the principal who can assume this role. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::your-aws-id:user/jeremydev"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Then proceed to configure your permission. Here we will chose AmazonS3FuillAccess. Click Next. Then provide a name here we will call it "s3fullaccess-atr", description and then click "create".

Once we have done, that, let's go an assume this role to get access to our s3 buckets.

aws sts assume-role --role-arn arn:aws:iam::your-amazon-id:role/s3fullaccess-atr --role-session-name s3-session

Then you will get the following outputs :-



Then proceed to export these as your environment variables - for example 

export AWS_ACCESS_KEY_ID=ASIA...

export AWS_SECRET_ACCESS_KEY=abc...

export AWS_SESSION_TOKEN=FQoG...

Then try to run the following command:-

aws s3 ls 


If you don't have the permission then you will get error similar to the one shown below

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::your-amazon-id:user/jeremydev is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::your-amazon-id:role/s3fullaccess-atr





Comments

Post a Comment

Popular posts from this blog

gemini cli getting file not defined error

Image
 While trying to run gemini cli on my windows linux subsystem, i bump into this error here - "/Roaming/npm/node_modules/@google/gemini-cli/node_modules/undici/lib/web/webidl/index.js:512 webidl.is.File = webidl.util.MakeTypeAssertion(File)"  "ReferenceError: File is not defined" In Node.js, there’s no built-in File (until very recent Node 20+ with experimental WHATWG APIs). So, unless polyfilled, File is undefined, leading to the ReferenceError. And to resolve this, I had to upgrade to node 22 (might work for node 20) and then I was able to run it.
Read more

NodeJS: Error: spawn EINVAL in window for node version 20.20 and 18.20

Encounter this issue when running autorest (that uses nodejs).  I am using node version:  v18.20.2 After i revert to use node v18.12.0, then i was able to get my app to run without this error. Since i am working with Azure devops yaml, i was able to use the following to resolve my issue.  - task : NodeTool@0   inputs :     versionSource : 'spec'     versionSpec : '18.18.0'
Read more

vllm : Failed to infer device type

Trying to run vllm without gpu will typicaly lands you into this issue. To resolve this issue: we can use set these both. Setting one does not work for me. So i had to configure both settings below:- 1.  environment variable CUDA_VISIBLE_DEVICES = "" 2. in the command line, change to use device cpu and remove  tensor-parallel-size. For example, python3 -m vllm.entrypoints.openai.api_server --port 8080 --model deepseek-ai/DeepSeek-R1 --device cpu --trust-remote-code --max-model-len 4096" References https://docs.vllm.ai/en/latest/getting_started/troubleshooting.html#failed-to-infer-device-type
Read more