Assume Root on AWS member accounts

assume_root_credentials.sh

#!/bin/bash

AWS_ACCOUNT_ID=012345678901

# Check if jq is installed
if ! command -v jq &> /dev/null; then
    echo "Error: jq is not installed. Please install jq to parse JSON."
    exit 1
fi

# ask for temporary credentials for the target account
aws sts assume-root --target-principal ${AWS_ACCOUNT_ID} \
                    --task-policy-arn arn=arn:aws:iam::aws:policy/root-task/IAMAuditRootUserCredentials > credentials.json

# Check if credentials.json file exists
if [ ! -f "credentials.json" ]; then
    echo "Error: credentials.json file not found."
    exit 1
fi

# Extract credentials from JSON and set environment variables
export AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' credentials.json)
export AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey' credentials.json)
export AWS_SESSION_TOKEN=$(jq -r '.Credentials.SessionToken' credentials.json)

# Verify if the variables are set
if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ] || [ -z "$AWS_SESSION_TOKEN" ]; then
    echo "Error: Failed to extract one or more credentials from the JSON."
    exit 1
fi

# Print success message
echo "AWS credentials have been successfully set as environment variables."
echo "You can now use these credentials in your AWS CLI or SDK applications."

# Run an action as root on the member account
aws sts get-caller-identity

# Reset environment variables
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_SESSION_TOKEN=

# do not leave the credentials file behind
rm credentials.json