Assume an IAM role. An interesting way of doing IAM roles is to give the instance permissions to assume another role, but no actual permissions by default. I got this idea while setting up security monkey: http://securitymonkey.readthedocs.org/en/latest/quickstart1.html#setup-iam-roles.

iam-assume-role.sh

#!/bin/bash
#
# Assume the given role, and print out a set of environment variables
# for use with aws cli.
#
# To use:
#
#      $ eval $(./iam-assume-role.sh)
#

set -e

# Clear out existing AWS session environment, or the awscli call will fail
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN
# Old ec2 tools use other env vars
unset AWS_ACCESS_KEY AWS_SECRET_KEY AWS_DELEGATION_TOKEN

ROLE="${1:-SecurityMonkey}"
ACCOUNT="${2:-123456789}"
DURATION="${3:-900}"
NAME="${4:-$LOGNAME@`hostname -s`}"

# KST=access*K*ey, *S*ecretkey, session*T*oken
KST=(`aws sts assume-role --role-arn "arn:aws:iam::$ACCOUNT:role/$ROLE" \
                          --role-session-name "$NAME" \
                          --duration-seconds $DURATION \
                          --query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' \
                          --output text`)
                          
echo 'export AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION:-us-east-1}'
echo "export AWS_ACCESS_KEY_ID='${KST[0]}'"
echo "export AWS_ACCESS_KEY='${KST[0]}'"
echo "export AWS_SECRET_ACCESS_KEY='${KST[1]}'"
echo "export AWS_SECRET_KEY='${KST[1]}'"
echo "export AWS_SESSION_TOKEN='${KST[2]}'"      # older var seems to work the same way
echo "export AWS_SECURITY_TOKEN='${KST[2]}'"
echo "export AWS_DELEGATION_TOKEN='${KST[2]}'"

It is reasonable to leave line 14 in if you logged in via a federated token in the first place.

Hi!

Another way to achieve the same result:

Write a profile, which automatically assumes the role.
aws configure --profile new-profile set role_arn arn:aws:iam::$ACCOUNT:role/$ROLE

To give credentials to the new profile, you must use one of the following lines:

1. aws configure --profile new-profile set source_profile default
2. aws configure --profile new-profile set credential_source Ec2InstanceMetadata
3. aws configure --profile new-profile set credential_source EcsContainer

Line 1) was correct on my personal pc, because I used the default profile.
Line 3) was correct when I tested the code with AWS CodeBuild. The new profile used the credentials of the codepipeline-role.

Afterwards, you may use the new profile, example:
aws --profile new-profile s3 ls s3://bucket-in-target-account

Documentation: https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#using-aws-iam-roles

Regards, maccopper2

3. aws configure --profile new-profile set credential_source EcsContainer

For posterity, it's also worth mentioning that this particular command also works when assuming roles in CodeBuild when running commands from a buildspec.