Trouble with AWS assume role with orb

Build Environment
1

Hey all, I’m new to Circle CI. Having trouble running a test with a basic AWS command and assume role.

I’ve gone through the AWS CLI orb documentation (which for some reason I’m not allowed to link in this post)
… but its not clear to me how assume role is meant to be used. The example that specified configure_role_arn doesn’t show a further example of how to actually run some other code with that assumed role.

I’ve tried running these two jobs, but the final command doesn’t actually use the assumed role from the step above, so I’m doing it wrong. Or am I supposed to run assume role for every single command?

File: config.yml
50:   configure_role_arn:
51:     executor: aws-cli/default
52:     steps:
53:       - checkout
54:       - aws-cli/setup:
55:           profile_name: default
56:       - aws-cli/role_arn_setup:
57:           profile_name: circle-ci
58:           role_arn: arn:aws:iam::972620357255:role/circle-ci
59:           source_profile: default
60:       - run: >-
61:           aws sts assume-role --role-arn
62:           "arn:aws:iam::972620357255:role/circle-ci" --role-session-name
63:           AWSCLI-Session
64: 
65:   test-lambda:
66:     executor: aws-cli/default
67:     steps:
68:       - checkout
69:       - aws-cli/setup:
70:           profile_name: default
71:       - aws-cli/role_arn_setup:
72:           profile_name: circle-ci
73:           role_arn: arn:aws:iam::972620357255:role/circle-ci
74:           source_profile: default
75:       - run: |
76:           aws lambda invoke --function-name get_nebula_cert --payload '{"text":"Hello"}' response.txt --cli-binary-format raw-in-base64-out
77:           cat response.txt
2

It does work only if I run the command with

--profile circle-ci

but hoping for a solution where that isn’t required.

3

Have you tried not setting profile_name at all? Presumably the orb will use the default one if a profile is not specified?

If that doesn’t work, you could set AWS_PROFILE to circle-ci in a context or in the env vars for the job / executor?

4

I tried removing the instances as you suggested but that didn’t work.

I actually think the documentation here is incorrect because aws sts assume-role isn’t supposed to persist the authentication for the session:

The only way I get this to work is if I use the result to set env vars:

  configure_role_arn:
    executor: aws-cli/default
    resource_class: small
    steps:
      - checkout
      - aws-cli/setup
          # profile_name: default
      - aws-cli/role_arn_setup:
          profile_name: circle-ci
          role_arn: arn:aws:iam::972620357255:role/circle-ci
          # source_profile: default
      - run:
          name: test profile and download form s3
          command: |
            temp_role=$(aws sts assume-role --role-arn "arn:aws:iam::972620357255:role/circle-ci" --role-session-name "AWSCLI-Session")
            export AWS_ACCESS_KEY_ID=$(echo $temp_role | jq .Credentials.AccessKeyId | xargs)
            export AWS_SECRET_ACCESS_KEY=$(echo $temp_role | jq .Credentials.SecretAccessKey | xargs)
            export AWS_SESSION_TOKEN=$(echo $temp_role | jq .Credentials.SessionToken | xargs)

            aws lambda invoke --function-name get_nebula_cert --payload '{"text":"Hello"}' response.txt --cli-binary-format raw-in-base64-out

So is the documentation wrong?

It also doesn’t describe how to persist that environment for subsequent jobs.

I made a ticket here now The documentation on aws sts assume-role is incorrect / not working in real world scenarios · Issue #180 · CircleCI-Public/aws-cli-orb · GitHub