Table of Contents

AWS CloudShell

Description

The AWS CLI in AWS CloudShell can be configured to use cross account IAM roles for a custom profile. This could be helpful if you need to script running commands on multiple AWS accounts. To configure this you need to add a custom profile with a credential source of ECS Container.

Run Down

You can see that AWS CloudShell is not an EC2 instance but a container by running the following.

[cloudshell-user@ip-10-0-161-58 ~]$ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************AKAK   container-role    
secret_key     ****************SKSK   container-role    
    region                us-east-2              env    ['AWS_REGION', 'AWS_DEFAULT_REGION']
[cloudshell-user@ip-10-0-161-58 ~]$

Next we need to make a blank profile. Just hit enter to leave the access key and secret key blank, but feel free to enter in your preferred region and output format.

aws --profile NEW_PROFILE_NAME configure

Now that we know AWS CloudShell is a container and we have created our blank profile we can add the cross account role arn and the credential source.

[cloudshell-user@ip-10-0-161-58 ~]$ cat .aws/config 
[profile NEW_PROFILE_NAME]
role_arn = arn:aws:iam::123456789012:role/IAM_CROSS_ACCOUNT_ROLE_NAME
credential_source = EcsContainer
region = us-east-1
output = json
[cloudshell-user@ip-10-0-161-58 ~]$ 

You can test this is working by running the following and comparing the difference between the two.

aws s3 ls

aws --profile NEW_PROFILE_NAME s3 ls