The AWS_ROLE_ARN environment variable was recently added with the introduction of the web identity credential provider. It would be great if the AWS_ROLE_ARN environment variable could also be used with the environment credential provider. This allows environments where disk access is not available or read-only to assume a role without a shared configuration file.
An example workflow, given the following environment:
AWS_ACCESS_KEY_ID=AK...
AWS_SECRET_ACCESS_KEY=...
AWS_ROLE_ARN=arn:aws:iam::123456789012:role/example
The environment credential provider would use the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY credentials to assume the given AWS_ROLE_ARN.
Creating our own application-specific environment variable(s) (e.g. AWS_ROLE_ARN or TF_AWS_ROLE_ARN) to trigger assuming a role automatically, at the risk of:
AWS_ namespace and default AWS Go SDK behaviorReferences:
It seems like it would make sense to include AWS_ROLE_SESSION_NAME along with this as well.
馃憤 to making AssumeRole more transparent. I'd love to be able to tell my app developers "just use this credential provider class" and then give me the ability to fully determine what identity their code runs as, and how it obtains that identity, entirely by setting environment variables.
Any update with this? This functionality would be very useful in deployed envs i.e. k8s to be able to start sessions for specific profiles in code without needing to use a filesystem (for the shared config file).
This would definitely make my pipelines easier as with a lot of them I have to download the cli to then assume a role to then use with a deploy utility. Making this available would remove the need for us to assume a role with packages that use the SDK internally to manage credentials.
Most helpful comment
It seems like it would make sense to include
AWS_ROLE_SESSION_NAMEalong with this as well.