I'm trying to get temporary STS credentials through a federated user via a corporate account. Corporate policy doesn't allow the use of IAM users and authentication is done through AD.
Using the AWS Cli, I am trying this, but receive an error
aws sts assume-role --role-arn arn:aws:iam::<ID>:role/aws-service-role/ecs.amazonaws.com/<role> --role-session-name "Rolesession1" --external-id <federated user login> --debug
AWS Config:
[default]
region = us-east-1
output = json
[default]
aws_access_key_id =
aws_secret_access_key =
aws_session_token =
Stacktrace:
An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid. 2019-01-29 09:15:54,986 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255
An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid.}
Okay, I got this working. It's a 2 step process for now.
~/.aws/credentials. Your username and password are what you login to your corporate network with.~/.aws/credential file either by putting them in a vars.yaml file, or directly in your playbook like this:ec2_access_key: "{{ lookup('ini', 'aws_access_key_id section=saml file=~/.aws/credentials') }}"
ec2_secret_key: "{{ lookup('ini', 'aws_secret_access_key section=saml file=~/.aws/credentials') }}"
ec2_security_token: "{{ lookup('ini', 'aws_session_token section=saml file=~/.aws/credentials') }}"