What's the easiest way to create a session from AssumeRole response?

[tleyden]

Here's how I'm creating a session from an AssumeRole response:

    session, err := session.NewSession()
    if err != nil {
        return nil, err
    }

    stsService := sts.New(session, &aws.Config{Region: aws.String(p.AWSRegion)})

    params := &sts.AssumeRoleInput{
        RoleArn:         aws.String("arn:aws:iam::1234:role/foo"), 
        RoleSessionName: aws.String("mysession"),                          
        ExternalId:      aws.String("myexternalid"),                                    
    }
    resp, err := stsService.AssumeRole(params)
    if err != nil {
        return nil, err
    }


    provider := NewAssumeRoleCredentialsProvider(resp.Credentials)

    ec2Service := ec2.New(session,
        &aws.Config{
            Region: aws.String(p.AWSRegion),
            Credentials: credentials.NewCredentials(provider),
        },
    )

        // etc ..

The NewAssumeRoleCredentialsProvider() call is to create a custom credentials.Provider that I had to create:

import (
    "time"

    "github.com/aws/aws-sdk-go/aws/credentials"
    "github.com/aws/aws-sdk-go/service/sts"
)

func NewAssumeRoleCredentialsProvider(credentials *sts.Credentials) *AssumeRoleCredentialsProvider {
    return &AssumeRoleCredentialsProvider{
        AssumeRoleCredentials: credentials,
    }
}

type AssumeRoleCredentialsProvider struct {
    AssumeRoleCredentials *sts.Credentials
}

func (c AssumeRoleCredentialsProvider) Retrieve() (credentials.Value, error) {
    return credentials.Value{
        AccessKeyID:     *c.AssumeRoleCredentials.AccessKeyId,
        SecretAccessKey: *c.AssumeRoleCredentials.SecretAccessKey,
        SessionToken:    *c.AssumeRoleCredentials.SessionToken,
        ProviderName:    "AssumeRoleCredentialsProvider",
    }, nil

}

func (c AssumeRoleCredentialsProvider) IsExpired() bool {
    return c.AssumeRoleCredentials.Expiration.After(time.Now())

}

Is there already the equivalent of AssumeRoleCredentialsProvider somewhere in the API that I can use? Or a less awkward way of doing this?

Sorry if this isn't the best place to ask .. if not let me know where to ask questions like these.

[jasdel]

Hi @tleyden thanks for reaching out to us. This is a great place to ask questions, and contribute. With v1.3.0 the SDK now supports loading assume roles derived from the Shared Config files ~/.aws/config and ~/.aws/credentials. See the SDK's sessions wiki page for more information on this change.

Assuming a role from the shared config is great if you have access to those files, or want to create a session from them.

Alternatively if your use case needs the sessions to be created at runtime dynamically the SDK provides the stscreds.AssumeRoleProvider type that should make using assume roles much easier.

The way a session will setup assume role from the shared config is a good example how to setup a stscreds.AssumeRoleProvider.

[tleyden]

Ok thanks! I think stscreds.AssumeRoleProvider is exactly what I was looking for.

[ddrocco]

It's been more than 5 years, and the AWS golang SDK is still incomprehensible with regards to how to do this more natively. I stared at the stscreds.AssumeRoleProvider file for 20 minutes and still can't figure it out.
@tleyden's code did the job though - thank you! :D

[vinodcc]

Thanks very much, the above example helped me. For the benefit of others, I have used stscreds.AssumeRoleProvider to create a session in this way.

var sess *session.Session
sess, err = session.NewSession(&aws.Config{
  Credentials: stscreds.NewCredentials(
    sess, 
    "arn:aws:iam::1234:role/foo", 
    func(provider *stscreds.AssumeRoleProvider) {
      provider.RoleSessionName = "mysession"
    },
  ),
  Region: aws.String("us-west-2"),
})
if err != nil {
  return nil, err
}

The sess object has been used to create other aws service clients for accessing aws services.

[AlbertKostusev]

The example above worked for me when I also added provider.RoleARN = "your-role" to the stscreds.AssumeRoleProvider function