aws-runas A friendly way to assume roles in AWS View on Github View on Github

Examples

These examples assume you have a valid configuration for the profile you are using.

Commands

Run command using a profile

This is the canonical use-case for aws-runas. The example below shows how to use aws-runas to execute the aws s3 ls command using credentials for the profile my-profile

aws-runas my-profile aws s3 ls

Run command using a role ARN

There may be cases where it is inconvenient to create the usual config and credentials files on the system. To handle this, aws-runas allows you to directly specify the IAM role ARN on the command-line in lieu of the profile name.

When using the tool in this way, the necessary IAM credentials must be supplied as either environment variables, or configured in the default section of the ~/.aws/credentials file.

The example below shows how to use aws-runas to execute the aws s3 ls command using credentials obtained for the role arn:aws:iam::1234567890:role/my-role. If necessary, the configuration for an MFA device can be provided via the -M command-line option.

aws-runas [-M mfa serial] arn:aws:iam::1234567890:role/my-role aws s3 ls

EC2 Metadata

aws-runas provides a feature which emulates the EC2 metadata credential endpoint which is used as part of the default credential lookup chain. This facility provides a way to vend AWS credentials to programs which are configured to find credentials at this endpoint. When configured to use a custom port (via the -p command-line option), no additional privileges are required; otherwise you will need to execute aws-runas using adminstrator/root privileges. For more information about this service see the Metadata Credentials documentation

Example

Start the service (running on a non-default port) in one terminal window:

aws-runas serve ec2 -p 8000 my-profile

In another window, configure your environment to use this endpoint and run the command

export AWS_SHARED_CREDENTIALS_FILE=/dev/null
export AWS_EC2_METADATA_SERVICE_ENDPOINT='http://127.0.0.1:8000/'
aws s3 ls

ECS Metadata

aws-runas provides a feature which emulates the ECS credential endpoint which is used as part of the default credential lookup chain. This facility provides a way to vend AWS credentials to programs which are configured to find credentials at this endpoint. No additional privileges are required to use this endpoint. For more information about this service see the Metadata Credentials documentation

Example

Start the service in one terminal window:

aws-runas serve ecs my-profile

In another window, configure your environment to use this endpoint and run the command

export AWS_SHARED_CREDENTIALS_FILE=/dev/null
export AWS_CONTAINER_CREDENTIALS_FULL_URI='http://127.0.0.1:12319/credentials'
aws s3 ls

Docker

Special consideration is needed when using aws-runas to supply credentials to processes running in docker containers.

Injecting Environment Variables

Exposing the AWS credentials as environment variables to the container is one option available. One drawback is this method is not aware of credential expiration, and has no way to automatically refresh credentials when they expire. So after some time (between 15 minutes and 12 hours, depending on configuration), the container must be restarted to run with new credentials. This method is most suitable with short-lived container execution.

Example
aws-runas -E my-profile docker run -e AWS_REGION -e AWS_ACCESS_KEY_ID \
 -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN ...

Using EC2 Metadata

Running the built-in EC2 Metadata Service of aws-runas is another way to expose AWS credentials to a docker container. When using this method, it is possible for the credentials refresh automatically when they expire, for as long as the underlying session is still valid. The one drawback of this approach is that you must run the service so that it listens on the 169.254.169.254 address, which requires administrator/root privilege on the system.

When using this method, it is advisable to have separate command-line sessions running, so you can monitor the execution of aws-runas and the docker container together.

In the first window, run aws-runas as adminstrator/root:

aws-runas serve ec2 my-profile

In the second window, run your docker container as you normally wold:

docker run ...