2

I am trying to assume an AWS role within a CI/CD pipeline, hence I have to write a script to change the role via a script. Below is the script to do that, and I used source <script>.sh to replace the existing AWS access & secret keys, and add the session key.

I checked that the 3 env variables are there by echoing them in the terminal.

#!/bin/bash

output="/tmp/assume-role-output.json"

aws sts assume-role --role-arn "arn:aws:iam::<account-id>:role/<rolename>" --role-session-name AWSCLI-Session > $output
AccessKeyId=$(cat $output | jq '.Credentials''.AccessKeyId')
SecretAccessKey=$(cat $output | jq '.Credentials''.SecretAccessKey')
SessionToken=$(cat $output | jq '.Credentials''.SessionToken')

export AWS_ACCESS_KEY_ID=$AccessKeyId
export AWS_SECRET_ACCESS_KEY=$SecretAccessKey
export AWS_SESSION_TOKEN=$SessionToken

However, when I tried running a simple aws command to list ECR images aws ecr list-images --registry-id <id> --repository-name <name>, it gave the following error message.

An error occurred (UnrecognizedClientException) when calling the ListImages operation: 
The security token included in the request is invalid.

I tried manually setting the AWS keys and token in the terminal, and surprisingly the ecr list command works.

export AWS_ACCESS_KEY_ID="XXX"
export AWS_SECRET_ACCESS_KEY="XXX"
export AWS_SESSION_TOKEN="XXX"

Does anyone know what is wrong with my script?

Jake
  • 1,259
  • 2
  • 15
  • 27
  • When you source your script check the exported ENV variables to see if they match what the manual entries are. – l'L'l Jan 25 '21 at 07:50

1 Answers1

4

If you use jq the way you do, your export values will contain quotation marks, e.g.

"ASIASZHPM3IXQXXOXFOY"

rather then:

ASIASZHPM3IXQXXOXFOY

To avoid this, you have to add -r flag to jq:

AccessKeyId=$(cat $output | jq -r '.Credentials''.AccessKeyId')
SecretAccessKey=$(cat $output | jq -r '.Credentials''.SecretAccessKey')
SessionToken=$(cat $output | jq -r '.Credentials''.SessionToken')
Marcin
  • 108,294
  • 7
  • 83
  • 138