Closed
Description
Feature description
The AWS_ROLE_ARN environment variable was recently added with the introduction of the web identity credential provider. It would be great if the AWS_ROLE_ARN environment variable could also be used with the environment credential provider. This allows environments where disk access is not available or read-only to assume a role without a shared configuration file.
An example workflow, given the following environment:
AWS_ACCESS_KEY_ID=AK...
AWS_SECRET_ACCESS_KEY=...
AWS_ROLE_ARN=arn:aws:iam::123456789012:role/example
The environment credential provider would use the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY credentials to assume the given AWS_ROLE_ARN.
Describe alternatives you've considered
Creating our own application-specific environment variable(s) (e.g. AWS_ROLE_ARN or TF_AWS_ROLE_ARN) to trigger assuming a role automatically, at the risk of:
- Naming collisions and logic issues if within
AWS_namespace and default AWS Go SDK behavior - Maintaining our own environment variables which do not benefit the larger AWS SDK/CLI ecosystem
- Longterm code deprecation and user burden of switching off our own environment variables if/when properly implemented in the AWS Go SDK
Additional context
References:
- aws/session: Add support for assuming role via Web Identity Tokens aws-sdk-go#2667
- https://github.com/aws/aws-sdk-go/pull/2667/files#r299696333
- added role_arn env vars hashicorp/terraform#21718
- Add env vars for assume_role block hashicorp/terraform-provider-aws#8985
- Allow configuring assume role from env variables hashicorp/terraform-provider-aws#9208