Support AWS_ROLE_ARN Environment Variable with Environment Credential Provider

[bflad]

Feature description

The AWS_ROLE_ARN environment variable was recently added with the introduction of the web identity credential provider. It would be great if the AWS_ROLE_ARN environment variable could also be used with the environment credential provider. This allows environments where disk access is not available or read-only to assume a role without a shared configuration file.

An example workflow, given the following environment:

AWS_ACCESS_KEY_ID=AK...
AWS_SECRET_ACCESS_KEY=...
AWS_ROLE_ARN=arn:aws:iam::123456789012:role/example

The environment credential provider would use the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY credentials to assume the given AWS_ROLE_ARN.

Describe alternatives you've considered

Creating our own application-specific environment variable(s) (e.g. AWS_ROLE_ARN or TF_AWS_ROLE_ARN) to trigger assuming a role automatically, at the risk of:

• Naming collisions and logic issues if within AWS_ namespace and default AWS Go SDK behavior
• Maintaining our own environment variables which do not benefit the larger AWS SDK/CLI ecosystem
• Longterm code deprecation and user burden of switching off our own environment variables if/when properly implemented in the AWS Go SDK

Additional context

References:

• aws/session: Add support for assuming role via Web Identity Tokens aws-sdk-go#2667
• https://github.com/aws/aws-sdk-go/pull/2667/files#r299696333
• added role_arn env vars hashicorp/terraform#21718
• Add env vars for assume_role block hashicorp/terraform-provider-aws#8985
• Allow configuring assume role from env variables hashicorp/terraform-provider-aws#9208

[jakauppila]

It seems like it would make sense to include AWS_ROLE_SESSION_NAME along with this as well.

[ashafer01]

👍 to making AssumeRole more transparent. I'd love to be able to tell my app developers "just use this credential provider class" and then give me the ability to fully determine what identity their code runs as, and how it obtains that identity, entirely by setting environment variables.

[mdross95]

Any update with this? This functionality would be very useful in deployed envs i.e. k8s to be able to start sessions for specific profiles in code without needing to use a filesystem (for the shared config file).

[lmmattr]

This would definitely make my pipelines easier as with a lot of them I have to download the cli to then assume a role to then use with a deploy utility. Making this available would remove the need for us to assume a role with packages that use the SDK internally to manage credentials.

[RanVaknin]

Hi @bflad ,

Thanks for the feature request. I think this is a reasonable request however this will need to be a cross-SDK effort and will require multi team planning.

I'm going to transfer this into the Cross SDK repo for further consideration.

Thanks,
Ran~

[debora-ito]

Transferring this to the SDK for Go v2 repo.

[lucix-aws]

Go v2 definitely supports these today, closing.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.