====== AWS Security Token Service ======


===== Assume role in other accounts in organisation =====

<code bash>
#!/bin/bash

thisaccount='123456787654'
role='OrganizationAdminRole'
session_name='AssumeSession'

# Get all the accounts in the organisation
for account in  $(aws organizations list-accounts --no-paginate | jq -r '.Accounts[] | .Id ')
do
    if [ ${account} = ${thisaccount} ]; then
       break
    else
        printf "Getting temp creds for account sts assume-roles.\n" "${account}"

        printf "aws sts assume-role --role-arn arn:aws:iam::"${account}":role/"${role}" \
                --role-session-name "${session_name}" \n"

        temp_role=$(aws sts assume-role \
        --role-arn arn:aws:iam::"${account}":role/"${role}" \
        --role-session-name "${session_name}")
        -
        printf "temp_role result:- \n\n"
        printf "${temp_role} \n"

        export AWS_ACCESS_KEY_ID=$(echo $temp_role | jq -r .Credentials.AccessKeyId)
        export AWS_SECRET_ACCESS_KEY=$(echo $temp_role | jq -r .Credentials.SecretAccessKey)
        export AWS_SESSION_TOKEN=$(echo $temp_role | jq -r .Credentials.SessionToken)

        # Do some interesting stuff in the assumes role account here
        printf "sts get id \n"
        aws sts get-caller-identity
        printf "end of sts get \n"
        
        # unset to go back to main account credentials
        unset AWS_ACCESS_KEY_ID
        unset AWS_SECRET_ACCESS_KEY
        unset AWS_SESSION_TOKEN

    fi
done
</code>