Feature Request: print current temporary session credentials

[hubertgrzeskowiak]

Whenever I assume a role using a role profile, the AWS CLI fetches temporary session tokens and saves them in ~/.aws/cli/cache/${random}.json. Is there any way to print the currently used credentials? I would like to pass them as env variables to another program.
Parsing all json files and filtering the right one myself is a rather tedious and error-prone process.

[justnance]

@hubertgrzeskowiak - Thanks for reaching out. This would be a good feature for the CLI so I'm labeling it as such pending further review and 👍.

[justnance]

@hubertgrzeskowiak - After a second look, I'm curious if you have already tried working with AWS Security Token Service (AWS STS) commands like assume-role or get-session-token ?

When using assume-role, the following command will extract the access key ID, secret access key, and session token to a specific. This can be done manually or via a script. The values can then be assigned as environment variables.:

$ aws sts assume-role --role-arn arn:aws:iam::123456789012:role/role-name --role-session-name "RoleSession1" --profile IAM-user-name > assume-role-output.txt

The session token can also be added to an HTTP header or to a query string using a parameter named X-Amz-Security-Token to use Temporary Security Credentials with API Operations.

The temporary security credentials created by get-session-role can be used to make API calls to any AWS service with the following exceptions:

• You cannot call any IAM APIs unless MFA authentication information is included in the request.
• You cannot call any STS API except AssumeRole or GetCallerIdentity .

Please advise if this meets your requirement and use case.

[hubertgrzeskowiak]

if you have already tried working with AWS Security Token Service (AWS STS) commands like assume-role or get-session-token ?

assume-role is what the AWS CLI does internally, I believe. I can assume the same role again from within the role, but that also comes with limitations, e.g. you need to set the right permissions, the duration is capped at 1h etc. get-session-token cannot be called from within a role session - it's only available for account users and IAM users I believe.

When using assume-role, the following command will extract the access key ID, secret access key, and session token to a specific. This can be done manually or via a script. The values can then be assigned as environment variables.:

What you describe is using an IAM user profile to assume the role manually. This works, but you need to know the IAM role and which profile to use to assume it. The beauty of the AWS config is that it hides these implementation details in the credentials and config files. I only need to know the profile that holds the IAM role. This comes especially handy if you want to use a script that has expectations on the AWS profiles, but not the particular users and their roles.

[hubertgrzeskowiak]

I guess we could use aws --profile target configure get source_profile followed by aws --profile ${result_of_previous_call} sts assume-role target_role. This comes at the price of increased complexity though.

[justnance]

@hubertgrzeskowiak - Thanks for the feedback. Relabeling as a Feature Request pending more investigating.

[humblelistener]

Similar situation as @hubertgrzeskowiak. One way of solving this would be to support --target-profile parameter for sts assume-role command.

As an example the command will become,

aws sts assume-role --target-profile target

given a config,

[target]
source_profile=source
role_arn=arn:aws:iam::xxx:role/RandomRole
mfa_serial=arn:aws:iam::xxx:mfa/RandomUser

[source]
aws_access_key_id=xxx
aws_secret_access_key=xxx

[mrw]

Adding my vote for this feature request. It'd be great to get the temporary credentials easily to be able to use in other contexts.

[rhasthimuni]

UP VOTE!!

over a year has passed and this is still an issue. I think it is necessary in vastly common instances to view the cached credential and to use it in another context outside of the cli (eg: a client). Its not like this is a security concern because if you look in the ~/aws/cli/cache/ you can still view these credentials.

As mentioned above, parsing all the cache files to find the right one is a bit tedious and expensive which is a common work around now :P

At least as a minimum expose a command to view the cached temp credentials via aws configure. Because it is kind of already partly being done. ie if you do a aws configure list --profile some_role_profile --debug you can see its actually retrieving the cached credential but only displays the last few characters. We are just saying give us an easy way to view these credentials (key, secret and token).

Peace 👍

[pwillis-els]

I think this is actually a bug more than a feature request.
This feature is needed in order to achieve functional parity with the aws configure command of AWS CLI.

Example below:

# ~/.aws/config
[profile saml]
# aws credentials for this profile are in ~/.aws/credentials
region = us-east-1
output = json

[profile admin]
output = json
role_arn = arn:aws:iam::1234567890:role/SAML-Admin
source_profile = saml

$ aws configure --profile saml list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                     saml           manual    --profile
access_key     ****************ABCD shared-credentials-file
secret_key     ****************WXYZ shared-credentials-file
    region                <not set>             None    None

$ aws configure get profile.saml.aws_access_key_id
ABCDEFGHIJKLMNOP

$ aws configure --profile admin list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                admin           manual    --profile
access_key     ****************EFGH      assume-role
secret_key     ****************RSUV      assume-role
    region                <not set>             None    None

$ aws configure get profile.admin.aws_access_key_id
$

Note that AWS CLI will display a preview of both credentials' values, but it can only output one of them.
Thus, some profiles are essentially broken in terms of their CLI functionality.

I think getting feature parity here would be easy code-wise, and provide more uniform functionality.

Thank you

[pwillis-els]

@justnance based on above comment, could this be reclassified as a bug and its priority bumped up? if it required considerable new development i would understand the feature request aspect, but it seems all it's missing is a couple lines of code to display the values already being loaded by the configure function.

thanks

[vhiairrassary]

Ideally, it should also work for SSO credentials: after aws sso login --profile myProfile I would like to be able to get the associated credentials. They are partially visible using:

aws configure --profile myProfile list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                myProfile           manual    --profile
access_key     ****************XXXX              sso
secret_key     ****************YYYY              sso
    region                <not set>             None    None

[xiaket]

For people looking for a quick answer here, this snippet works for me:

python -c "import boto3; creds = boto3.Session().get_credentials().get_frozen_credentials(); print('\n'.join(f'{name}: {getattr(creds, name)}' for name in ['access_key', 'secret_key', 'token']))"

[reegnz]

Awesome @xiaket! Thanks for that inspiration.

And if someone would prefer to have it in json:

python -c "import boto3; import json; print(json.dumps(boto3.Session().get_credentials().get_frozen_credentials()._asdict()))"

Would be great to retrive those credentials with a native aws cli command though.

[tim-finnigan]

Linking related issue: #5261. Not sure if there is enough overlap between these issues for them to be considered duplicates but I think that may be the case.

[tmokmss]

Bit of modification to use credentials in another shell easily:

python3 -c 'import boto3; import json; c=boto3.Session().get_credentials().get_frozen_credentials()._asdict(); print(f"export AWS_ACCESS_KEY_ID=\"%s\"" % c["access_key"]); print(f"export AWS_SECRET_ACCESS_KEY=\"%s\"" % c["secret_key"]); print(f"export AWS_SESSION_TOKEN=\"%s\"" % c["token"])'

Then prints:

export AWS_ACCESS_KEY_ID="xxxxxxxxxxxx"
export AWS_SECRET_ACCESS_KEY="xxxxxxxxxxxxxxxx"
export AWS_SESSION_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxx"

[reegnz]

Seems like workarounds are not necessary anymore to get credentials, #5261 got resolved.
The mechanism implemented in #7398 seems to solve for this issue as well.

How you can get credentials in json form now:

aws configure export-credentials

It essentially uses the same frozen credentials mechanism described in the above comments.
Then you can transform the json credentials with the language of your choice.

For providing env variables, it's natively supported too:

aws configure export-credentials --format env

I think this issue can be resolved.

[tmokmss]

@reegnz
So cool! Good to know that 😄

[tim-finnigan]

Thanks all for following up here, I agree it looks like this can be closed now. Here is the documentation for the aws configure export-credentials command: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configure/export-credentials.html

[januszm]

I think this may be related, so I'll leave it here. I know this issue is for the CLI but I ended up here looking for a solution for the Ruby client. On a running EC2 instance, e.g. in Elastic Beanstalk platform, where EC2 servers assume role, if you need to print current credentials for the role assumed by the ec2 server user, you can use the Aws::InstanceProfileCredentials like so:

credentials = Aws::InstanceProfileCredentials.new.credentials
aws_credentials = {
  access_key_id: credentials.access_key_id,
  secret_access_key: credentials.secret_access_key,
  region: ENV["AWS_REGION"],
}

[reegnz]

@januszm TBQH with ruby (or any other AWS SDK really) it is even better to use the default credential provider chain:

credentials = Aws::CredentialProviderChain.new.resolve.credentials

Then it works on your local machine with shared credentials, aws sso, credential_process, and also in k8s, in fargate, etc., without having to modify the code each time.