Allow `assume_role` operation in place of `profile_name` to deploy to another account from zappa deployer in AWS

[chiqomar]

For some time now, we have been using a bot to deploy zappa in a docker image on ECS, and were deploying to both of our production accounts. The way we were doing this was by copying a credentials file into the docker image (not a great idea) and updating as necessary.

Although zappa is pretty robust when it comes to local deployment, boto3 allows us to automatically get credentials through an assigned role ARN (which I have done). I am testing the app right now, using the discussion on minimal permissions for an AWS role as a base. Unfortunately, there is no discussion on how to deploy zappa to another account, if zappa is running in a cloud instance, without using extra credentials.

Actual Behavior

Currently, the solution I am (intending on) using is hard coding my role ARN into our bot, writing a fresh creds file when we read our settings file, and allowing profile_name to work when we run zappa. It's not great, but if it works, I'll do it.

Possible Fix

Either, knowing that we are currently in a role based session, we should automatically have profile_name set so it can assume the role for the other account (not sure how that would work), or we set a new settings var that let's you specify the ARN for the role to assume (either directly, or we can just specify account_id and role_name which should be enough for an assume role operation).

[Miserlou]

Hm, that's interesting.

You might be able to do this with a kind of monkey patching using the predeploy scripts. aws_account_id maybe seems like a better solution though..