Allow an optional IAM policy to be specified when assuming roles

[stoggi]

When you assume a role with AWS, you can optionally provide an IAM policy.

If you pass a policy, the temporary security credentials that are returned by the operation have the permissions that are allowed by both (the intersection of) the access policy of the role that is being assumed, and the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed.

This would let me create temporary credentials with scoped permissions. Particularly handy for one-off tasks that you don't want to create a new role for, but want least privilege. Another use case is documenting an IAM policy for your project that other users can start with aws-vault, so that it's clear what permissions your service requires.

An example using the AWS CLI:

aws-vault exec user-with-mfa -- aws sts assume-role \
  --role-arn arn:aws:iam::1234567890123:role/role-name \
  --role-session-name your-session-name \
  --policy "$(cat scoped-policy.json)"

What I'd like to be able to do:

aws-vault exec --policy=scoped-policy.json role-name

I'm happy to create a PR for this option, and add it to the exec command. Any thoughts?

I don't like how the AWS cli expects JSON as a string, and I would just specify a filename instead.

https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html#options
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html

[FernandoMiguel]

/sub

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.