How to add Assume role in VSCode to get temporary access to AWS?

Hi, this is Charu from Classmethod.

Before moving on to the topic, I will tell you what I used to do to connect to AWS. I used to type aws configure in the terminal and then enter my access key and secret access key. This method is totally unsafe to perform. You can easily put your credentials at risk. To avoid this, we will be using assume role technique. It uses AWS CLI to obtain temporary credentials which can be used for authentication while connecting to AWS.

Let's get Started:

To get started, we will first look into our config and credentials file. The data in these files are necessary for the assume role command.

Type cat ~/.aws/config and check the content. It should look something like this,


region = ap-northeast-1
mfa_serial = arn:aws:iam::xxxxxxxxxxxx:mfa/abc
role_arn = arn:aws:iam::yyyyyyyyyyyy:role/abc
source_profile = default

You can go to IAM > Roles, select your role and click on the Edit button to set the session duration.

You can find your mfa_serial(root account) and role_arn(switch role) from the AWS console respectively as shown below,

Let's check our credentials file next. Type cat ~/.aws/credentials in the terminal. It should look something like this,

aws_access_key_id = xxxxxxxxxx
aws_secret_access_key = yyyyyyyyyy

Now, the command to enable assume role is,


AWS_STS_CREDENTIALS=`aws sts assume-role \
  --profile default \
  --role-arn $(aws configure get ${AWS_PROFILE}.role_arn) \
  --role-session-name ${AWS_PROFILE}-session \
  --serial-number $(aws configure get ${AWS_PROFILE}.mfa_serial) \
  --duration-seconds $((60*60*12)) \
  --token-code ${tokenCode}`
export AWS_ACCESS_KEY_ID=`echo "${AWS_STS_CREDENTIALS}" | jq -r '.Credentials.AccessKeyId'`
export AWS_SECRET_ACCESS_KEY=`echo "${AWS_STS_CREDENTIALS}" | jq -r '.Credentials.SecretAccessKey'`
export AWS_SESSION_TOKEN=`echo "${AWS_STS_CREDENTIALS}" | jq -r '.Credentials.SessionToken'`

Enter the PROFILE_NAME and the TOKEN_CODE_NUMBER which is your MFA code(check your MFA device). The token code is necessary if the role you are assuming requires MFA.

Let's break down the command and try to understand it,

  • aws sts assume-role is used to provide the temporary security credentials and it's output is stored in AWS_STS_CREDENTIALS.
  • --profile default specifies the AWS CLI profile you want to use.
  • --role-arn specifies the Amazon Resource Name (ARN) of the role to assume. It is fetching the role-arn through aws configure get ${AWS_PROFILE}.role_arn command.
  • --role-session-name sets a session name. It can be used for future auditing.
  • --serial-number specifies the serial number of the Multi-Factor Authentication (MFA) device. It is retrieving the number dynamically from aws configure get ${AWS_PROFILE}.mfa_serial command.
  • --duration-seconds sets the duration, in seconds, for which the credentials should remain valid. Here it is set to 12 hours (606012). We have set it through the console too(in the start of the blog).
  • --token-code is the MFA code you provided earlier.
  • The export commands extract the AccessKeyId, SecretAccessKey, and SessionToken from the AWS_STS_CREDENTIALS JSON output using jq, a command-line JSON processor. Each of these extracted values is then exported as an environment variable (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN). These environment variables are used by the AWS CLI and SDKs to authenticate your requests.

    If you get an error saying jq not found, you can install it by typing,

    brew install jq

  • Finally, it unsets the AWS_PROFILE environment variable. This is important because if AWS_PROFILE is set, it can override the credentials provided by AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables, causing your AWS CLI or SDK to use the wrong credentials.
  • Once this command this executed, you will be able to use the assume role.

    Thank you for reading!

    Happy Learning:)