{"id":15703,"date":"2025-09-12T12:08:54","date_gmt":"2025-09-12T06:38:54","guid":{"rendered":"https:\/\/www.skynats.com\/?p=15703"},"modified":"2025-09-15T11:17:14","modified_gmt":"2025-09-15T05:47:14","slug":"how-do-i-assume-an-iam-role-using-the-aws-cli","status":"publish","type":"post","link":"https:\/\/www.skynats.com\/blog\/how-do-i-assume-an-iam-role-using-the-aws-cli\/","title":{"rendered":"How do I assume an IAM role using the AWS CLI"},"content":{"rendered":"\n<h2 class=\"wp-block-heading has-small-font-size\" id=\"h-introduction\"><strong>Introduction<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Cross-account access is a common need in AWS environments\u2014especially when managing resources across multiple accounts. This guide walks you through securely assuming an IAM role in a destination AWS account using the IAM AWS CLI from a source account via temporary credentials.<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-small-font-size\" id=\"h-prerequisites\"><strong>Prerequisites<\/strong><\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>You have an IAM user in the source account with permissions to assume a role in the destination account.<\/li>\n\n\n\n<li>The destination account has a trust policy allowing the source IAM user or role to assume the role (e.g: S3MigrationRole).<\/li>\n\n\n\n<li>The <a href=\"https:\/\/aws.amazon.com\/\" target=\"_blank\" rel=\"noopener\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-secondary-color\">AWS<\/mark><\/a><strong> <\/strong>CLI is installed.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading has-small-font-size\" id=\"h-step-1-install-the-aws-cli\"><strong>Step 1: Install the AWS CLI<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If you haven&#8217;t already, install the AWS CLI<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Verify installation:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>aws --version<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading has-small-font-size\"><strong>Step 2: Configure the AWS CLI with IAM User Credentials<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Use the IAM user credentials from the <strong>source account<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>aws configure<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You\u2019ll be prompted for four inputs:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>AWS Access Key ID &#91;None]: AKIA**********MPLE\nAWS Secret Access Key &#91;None]: wJalrXUtnFEMI\/K7MDENG\/bPxRfiCY*********KEY\nDefault region name &#91;None]: us-west-2\nDefault output format &#91;None]: json<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You can choose your region (e.g., us-east-1, us-west-2, etc.)<\/li>\n\n\n\n<li>JSON is recommended for scripting and parsing.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading has-small-font-size\"><strong>Step 3: Assume the IAM Role in the Destination Account<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Use the following command to assume a role (e.g., S3MigrationRole) in another AWS account:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>aws sts assume-role \\\n  --role-arn \"arn:aws:iam::&lt;destination-account-id&gt;:role\/S3MigrationRole\" \\\n  --role-session-name \"AWSCLI-Session\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Replace &lt;destination-account-id&gt; with the actual AWS account ID.<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-small-font-size\"><strong>Step 4: Export Temporary Credentials to Environment Variables<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">From the JSON output obtained from the previous command, copy the values under the Credentials block and set them as environment variables:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>export AWS_ACCESS_KEY_ID=\"ASIA***********EXAMPLE\"\nexport AWS_SECRET_ACCESS_KEY=\"wJalrXUtnFEMI\/K7MDENG\/bPxRfiCY*********KEY\"\nexport AWS_SESSION_TOKEN=\"IQoJb3JpZ2luX2VjE***********TOKEN\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">These credentials allow you to operate <strong>as the assumed role<\/strong> for a limited time.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-small-font-size\"><strong>Step 5: Verify Your Identity<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">To ensure you&#8217;re operating under the correct role, run:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>aws sts get-caller-identity<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Expected output:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n    \"UserId\": \"AROAEXAMPLE:AWSCLI-Session\",\n    \"Account\": \"&lt;destination-account-id&gt;\",\n    \"Arn\": \"arn:aws:sts::&lt;destination-account-id&gt;:assumed-role\/S3MigrationRole\/AWSCLI-Session\"\n}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If you see the assumed role ARN, everything is working as expected.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These temporary credentials are short-lived. Once expired, you\u2019ll need to re-run the assume-role command and re-export the new credentials.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-small-font-size\"><strong>Conclusion<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Using the AWS CLI and sts:assume-role is a powerful and secure way to manage cross-account access in AWS. By leveraging temporary credentials, you reduce the risk of long-lived secrets and operate with scoped, time-bound access.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Whether you&#8217;re migrating S3 buckets, automating backups, or deploying infrastructure across environments, assuming roles via the CLI is a foundational skill for any AWS practitioner.<br>Mastering IAM AWS CLI can streamline role management and enhance cloud security. If you need expert guidance, We offers reliable <a href=\"https:\/\/www.skynats.com\/aws-management\/\">AWS Management Services<\/a> to help you configure, troubleshoot, and optimize your AWS environment. Contact us today for tailored support.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction Cross-account access is a common need in AWS environments\u2014especially when managing resources across multiple accounts. This guide walks you through securely assuming an IAM role in a destination AWS account using the IAM AWS CLI from a source account via temporary credentials. Prerequisites Step 1: Install the AWS CLI If you haven&#8217;t already, install [&hellip;]<\/p>\n","protected":false},"author":14,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[722,730,1006,1099,1100],"class_list":["post-15703","post","type-post","status-publish","format-standard","hentry","category-blog","tag-aws","tag-aws-cli","tag-aws-management-services","tag-cli","tag-iam"],"_links":{"self":[{"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/posts\/15703","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/comments?post=15703"}],"version-history":[{"count":3,"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/posts\/15703\/revisions"}],"predecessor-version":[{"id":15712,"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/posts\/15703\/revisions\/15712"}],"wp:attachment":[{"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/media?parent=15703"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/categories?post=15703"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/tags?post=15703"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}