Exec module for assume role.

async, ctx, role_arn: str, role_session_name: str, *, policy_arns: List[Dict[str, Any]] = None, policy: str = None, duration_seconds: int = None, tags: List[Dict[str, str]] = None, transitive_tag_keys: List[str] = None, external_id: str = None, serial_number: str = None, token_code: str = None, source_identity: str = None) Dict[str, Any][source]#

Returns a set of temporary security credentials to access AWS resources that you might not normally have access to.

  • role_arn (str) – The ARN of the role to assume to access AWS resources.

  • role_session_name (str) – An identifier for the assumed role session. Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons.

  • policy_arns (list[dict[str, Any]], Optional) – The ARNs of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.

  • policy (str, Optional) – An IAM policy in JSON format that you want to use as an inline session policy.

  • duration_seconds (int, Optional) – The duration, in seconds, of the role session. By default, the value is set to 3600 seconds. The value specified can range from 900 seconds (15 minutes) up to the maximum session duration which can have a value from 1 hour to 12 hours.

  • tags (list[dict[str, str]], Optional) –

    A list of session tags that you want to pass in the format of [{"Key": tag-key, "Value": tag-value}]. Each session tag consists of a key name and an associated value. You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters, and the values can’t exceed 256 characters.

    • Key (str):

      The key of the tag.

    • Value (str):

      The value of the tag.

  • transitive_tag_keys (list(str), Optional) – A list of keys for session tags that you want to set as transitive. If you set a tag key as transitive, the corresponding key and value passes to subsequent sessions in a role chain.

  • external_id (str, Optional) – A unique identifier that might be required when you assume a role in another account.

  • serial_number (str, Optional) – The identification number of the MFA device that is associated with the user who is making the credentials call. Specify this value if the trust policy of the role being assumed includes a condition that requires MFA authentication.

  • token_code (str, Optional) – The value provided by the MFA device, if the trust policy of the role being assumed requires MFA.

  • source_identity (str, Optional) – The source identity specified by the principal that is calling the credential operation.


The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.

Return type:

Dict[str, Any]


Call from the CLI:

$ idem exec aws.sts.assume_role.credentials <role_arn> <role_session_name>

Call from code:

async def my_func(hub, ctx, role_arn:str, role_session_name:str):
    await, role_arn, role_session_name)

Using in a state:

    - path: aws.sts.assume_role.credentials
    - kwargs:
        role_arn: role_arn
        role_session_name: role_session_name