Assume Root on AWS member accounts

assume_root_credentials.sh

#!/bin/bash

AWS_ACCOUNT_ID=012345678901

# Check if jq is installed
if ! command -v jq &> /dev/null; then
    echo "Error: jq is not installed. Please install jq to parse JSON."
    exit 1
fi

# ask for temporary credentials for the target account
aws sts assume-root --target-principal ${AWS_ACCOUNT_ID} \
                    --task-policy-arn arn=arn:aws:iam::aws:policy/root-task/IAMAuditRootUserCredentials > credentials.json

# Check if credentials.json file exists
if [ ! -f "credentials.json" ]; then
    echo "Error: credentials.json file not found."
    exit 1
fi

# Extract credentials from JSON and set environment variables
export AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' credentials.json)
export AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey' credentials.json)
export AWS_SESSION_TOKEN=$(jq -r '.Credentials.SessionToken' credentials.json)

# Verify if the variables are set
if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ] || [ -z "$AWS_SESSION_TOKEN" ]; then
    echo "Error: Failed to extract one or more credentials from the JSON."
    exit 1
fi

# Print success message
echo "AWS credentials have been successfully set as environment variables."
echo "You can now use these credentials in your AWS CLI or SDK applications."

# Run an action as root on the member account
aws sts get-caller-identity

# Reset environment variables
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_SESSION_TOKEN=

# do not leave the credentials file behind
rm credentials.json

Hi @sebsto, thanks for the script. I've just tried this, and it looks like this fails if you have your default output set to anything other than "json". I've made an update to accept an AWS Account ID along with adding the "--output json" to line 12, see here:
https://gist.github.com/AyhanSetirekli/26117af8bb41a011185ed0ebb60256b3