Open in app

Sign in

Write

Sign in

how to switch accounts in a pipeline

Dipesh Majumdar
2 min readFeb 23, 2023

--

Suppose you are already in a pipeline and you are authenticated for Account A. But there can be a requirement where you need to assume role to another account B and then again switch back to A. How do you do that? Well you need roleArn for Account B and 2 bash functions!!! you can call the first function when you want to switch to Account B and call back second function when you want to switch back.

Let’s start with few example values to make our understanding of the bash script concrete.

For account A

  • Account_id: 129030836016
  • Username: gitlab-ci (it is a system user)

For account B

  • Account_id: 229030836016
  • roleArn: is ARN of role that is present
#!/bin/bash

function set_account_b_creds() {
    printf "\nsetting credentials for account b now\n"
    printf "\nFirst backup your original keys\n"
    echo $AWS_ACCESS_KEY_ID >AWS_ACCESS_KEY_ID_ORIGINAL
    echo $AWS_SECRET_ACCESS_KEY >AWS_SECRET_ACCESS_KEY_ORIGINAL
    echo $AWS_SESSION_TOKEN >AWS_SESSION_TOKEN_ORIGINAL
    #roleArn belongs to account B whose configuration will be given below
    aws sts assume-role --role-arn ${roleArn} --role-session-name devSession --region eu-west-1 >output.txt
    export AWS_ACCESS_KEY_ID=$(cat output.txt | jq -r '.Credentials.AccessKeyId')
    export AWS_SECRET_ACCESS_KEY=$(cat output.txt | jq -r '.Credentials.SecretAccessKey')
    export AWS_SESSION_TOKEN=$(cat output.txt | jq -r '.Credentials.SessionToken')
    aws sts get-caller-identity
    aws eks update-kubeconfig --name eks_cluster_in_account_b
    printf "\n..........................................................\n"
}

function set_account_a_creds() {
    printf "\nswitching back to account a now\n"
    export AWS_ACCESS_KEY_ID=$(cat AWS_ACCESS_KEY_ID_ORIGINAL)
    export AWS_SECRET_ACCESS_KEY=$(cat AWS_SECRET_ACCESS_KEY_ORIGINAL)
    export AWS_SESSION_TOKEN=$(cat AWS_SESSION_TOKEN_ORIGINAL)
    aws sts get-caller-identity
    aws eks update-kubeconfig --name eks_cluster_in_account_a
    printf "\n..........................................................\n"
}

printf "\nRight now in account a\n"

export ACCOUNT_ID_NOW=$(aws sts get-caller-identity | awk -F'"' '/Account/ {print $4}')
#example value of acc-id-of-b is 229030836016. just substitue
if [[ "${ACCOUNT_ID_NOW}" != "<<acc-id-of-b>>" ]]; then
    set_account_b_creds
fi
printf "\nStarting activities in Account B\n"

export ACCOUNT_ID_NOW=$(aws sts get-caller-identity | awk -F'"' '/Account/ {print $4}')
if [[ "${ACCOUNT_ID_NOW}" == "<<acc-id-of-b>>" ]]; then
    set_account_a_creds
fi
printf "\nStarting activities in Account A again\n"

Trust in Account B on the role ${roleArn} looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<<account-a-id>>:user/gitlab-ci",
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}
Cross Account Switching
Aws Assume Role

--

--

Dipesh Majumdar

Written by Dipesh Majumdar

5 Followers

Transforming Ideas into code

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams