node.jsamazon-web-servicesaws-sdkamazon-iamaws-sdk-nodejs

using profile that assume role in aws-sdk (AWS JavaScript SDK)


Using the AWS SDK for JavaScript, I want to use a default profile that assumes the a role. This works perfectly with the AWS CLI. Using node.js with the SDK does not assume the role, but only uses credentials to the AWS account that the access key belongs to. I've found this documentation but it does not deal with assuming a role: Loading Credentials in Node.js from the Shared Credentials File

Any tips?

This is my config file:

[default]
role_arn = arn:aws:iam::123456789:role/Developer
source_profile = default
output = json
region = us-east-1

Solution

  • The CLI and SDK work differently, in that you must explicitly assume the role when using the SDK. The SDK doesn't automatically assume the role from the config as the CLI does.

    After the role is assumed, the AWS.config must be updated with the new credentials.

    This works for me:

    var AWS = require('aws-sdk');
    AWS.config.region = 'us-east-1';
    
    var sts = new AWS.STS();
    sts.assumeRole({
      RoleArn: 'arn:aws:iam::123456789:role/Developer',
      RoleSessionName: 'awssdk'
    }, function(err, data) {
      if (err) { // an error occurred
        console.log('Cannot assume role');
        console.log(err, err.stack);
      } else { // successful response
        AWS.config.update({
          accessKeyId: data.Credentials.AccessKeyId,
          secretAccessKey: data.Credentials.SecretAccessKey,
          sessionToken: data.Credentials.SessionToken
        });
      }
    });