When you include both a profile and an assume_role_arn as inputs to the module, the module should use the provided profile to assume the role, then execute the CLI command using the temporary credentials for the assumed role.
Currently, the module includes the profile param as part of the CLI execution by default, which prevents the temporary credentials for the assumed role from being used.
This PR resolves that issue by adding an if condition to the CLI execution which checks if both profile and assume_role_arn have been provided - when true, the profile param is excluded from the CLI execution so that the temporary credentials will be used instead. When false, CLI execution continues as normal.
See the related issue below for a detailed write-up of the problem described here.
Additionally, this PR resolves a typo found in the sts assume-role operation that prevents successful execution of that portion of the script when it is needed.
This PR means that the module more accurately achieves its mission by allowing you to use a profile to assume a role to execute the CLI command with:
Run the AWS CLI, with the ability to run under an assumed role, to access resources and properties missing from the Terraform AWS Provider.
I've made these changes locally and confirmed that I was able to execute the module using the assume_role_arn when both profile and assume_role_arn were provided.
@rquadling Would you mind reviewing this PR when you have a minute? It resolves https://github.com/digitickets/terraform-aws-cli/issues/11 and I'd love to get it merged so that I can avoid forking this module instead.
Purpose
When you include both a
profile
and anassume_role_arn
as inputs to the module, the module should use the provided profile to assume the role, then execute the CLI command using the temporary credentials for the assumed role.Currently, the module includes the profile param as part of the CLI execution by default, which prevents the temporary credentials for the assumed role from being used.
This PR resolves that issue by adding an
if
condition to the CLI execution which checks if bothprofile
andassume_role_arn
have been provided - when true, the profile param is excluded from the CLI execution so that the temporary credentials will be used instead. When false, CLI execution continues as normal.See the related issue below for a detailed write-up of the problem described here.
Additionally, this PR resolves a typo found in the
sts assume-role
operation that prevents successful execution of that portion of the script when it is needed.This PR means that the module more accurately achieves its mission by allowing you to use a profile to assume a role to execute the CLI command with:
Related Issue
This PR resolves the Issue described here: https://github.com/digitickets/terraform-aws-cli/issues/11
Testing
I've made these changes locally and confirmed that I was able to execute the module using the
assume_role_arn
when bothprofile
andassume_role_arn
were provided.