Add config setting or flag to automatic exit in case of an invalid role

[shwethaumashanker]

Context:

Phil Hadviger Slack link When using assume in a script, like source assume -r ap-northeast-1 mycompany/myinvalidrole is there any way for it to not open the role selection browser and instead just fail so we can trap that the role/profile does not exist for this user?

[datfinesoul]

The request would be for possibly supporting a command line option like --exit-code similar to git diff or other tools, that would allow the selector to be skipped and instead have the script return an exit code of 1 when a matching profile/role is not found.

Some extra context. We've been making assume part of our documentation / automation process, so there is less room for interpretation.

So in documentation it might look like the following (purely and example):

1. Log into AWS on your terminal and the console

   assume -s ec2 -r ap-northeast-1 -t mycompany/MyRoleWithATypo

2. Run the myscript.sh file from your terminal
3. Verify in the console that the tag on the instance was updated

If I currently run follow this, in step 1 it would bring up the role selector, which would possibly lead to an unpredictable and non-working scenario. I would prefer if we could just have the current error message pop up, and no selector appears. ([!] mycompany/MyRoleWithATypo not found in your AWS config or credentials)

Even more so in a script, where we might make it part of a process.

source assume -r ap-northeast-1 mycompany/myinvalidrole
aws s3 ...

instead of this leading to the selector coming up, and manual entry being a required thing, it would be more helpful if there was a way to make this assume call fail.

[datfinesoul]

Just wanted to follow up and see if there is any possibility of this getting implemented so that assume can more reliably be used from within other shell scripts.

[DonDebonair]

We ran into the same need when automating common developer workflows that involve assume. Would love for the command to be able to fail fast (cc @j-krose)

[j-krose]

FYI our temporary workaround in scripting is along the lines of:

    if [ -z $(aws configure list-profiles | grep "^$DESIRED_PROFILE$") ]; then
        ... exit early with a message
    fi

    assume $DESIRED_PROFILE

This is not ideal because:

• It seems that aws configure list-profiles lists profiles that have been removed from ~/.aws/config, but still have some stale state elsewhere in ~/.aws/
• We would have to introduce this type of thing generically in all our programmatic uses of assume rather than just simply having a flag