amazon-web-servicesgosts

AWS stscreds SDK to refresh credentials for cross account assume roles

I have setup cross account reading kinesis stream, but i get security token expired error when kinesis client is reading records. I used sts assume role to assume roleA in accountA, then use roleA credentials to assume roleB, lastly return the kinesis client, so there is no refresh feature applied to it and the client will expire in 1 hr by default. I looked up the stscreds AssumeRoleProvider and the doc says it will refresh the credentials. But i have no idea on how to refresh the first credential for assumed roleA then refresh the second credential for assumed roleB. Or is it better to call the method to reinitialize the kinesis client?

Here is the code block.

    cfg, err := config.LoadDefaultConfig(
        context.TODO(),
        config.WithRegion("us-west-2"),
    )

    if err != nil {
        return nil, err
    }

    stsclient := sts.NewFromConfig(cfg)

    assumingcnf, err := config.LoadDefaultConfig(
        context.TODO(),
        config.WithRegion("us-west-2"),
        config.WithCredentialsProvider(aws.NewCredentialsCache(
            stscreds.NewAssumeRoleProvider(
                stsclient,
                roleToAssumeArn1,
            )),
        ),
    )
    if err != nil {
        return nil, err
    }

    stsclient = sts.NewFromConfig(assumingcnf)

    cnf, err := config.LoadDefaultConfig(
        context.TODO(),
        config.WithRegion("us-west-2"),
        config.WithCredentialsProvider(aws.NewCredentialsCache(
            stscreds.NewAssumeRoleProvider(
                stsclient,
                roleToAssumeArn2,
            )),
        ),
    )
    if err != nil {
        return nil, err
    }
    kClient := kinesis.NewFromConfig(cnf)
    return kClient
Solution

  • You should be able to do this with the providers provided by AWS. I'm assuming you're using aws-sdk-go-v2.

    This would make the resulting CredentialsProvider return the cached credentials until they expire; then it will call provider2, which uses sts2 to get new credentials for roleB, and sts2 will always first call provider1 first to get new credentials for roleA.

    func createProvider(cfg aws.Config) aws.CredentialsProvider {
    sts1 := sts.NewFromConfig(cfg)
    provider1 := stscreds.NewAssumeRoleProvider(sts1, "roleA")
    sts2 := sts.NewFromConfig(cfg, func (o *sts.Options) { o.Credentials = provider1 })
    provider2 := stscreds.NewAssumeRoleProvider(sts2, "roleB")
    return aws.NewCredentialsCache(provider2)
}