Using Powershell to assume roles in different AWS accounts and regions using use

hiten-mandalia · September 5, 2019, 10:10am

Hi All,

I am trying to write a powershell script. What I want to do is use use-stsRole to assume a role in multiple AWS accounts which we own and run a simple Get-EC2SecurityGroup command to list all security groups we have which match a filter. We have 10 different AWS accounts and the role has been setup correctly. We use MFA also to the root account. The code works in that it will list all the security groups in the root account, but will not show for any other accounts. It just keeps looping over the root account the same number of times as equal to the number of accounts i have listed in the accounts.txt file.



param(
[Parameter(Mandatory=$True,Position=1)]
   [string]$IAMname,
[Parameter(Mandatory=$True,Position=2)]

[string]$MFAcode

)
$UserARN = “arn:aws:iam::111111111111:mfa/” + $IAMname
Write-host $UserARN

Write-host $MFACode
$Regions = (Get-SSMParametersByPath -Path ‘/aws/service/global-infrastructure/regions’ -region eu-west-1).Value
$Accounts = get-content -Path .\Accounts.txt
foreach ($Account in $Accounts){
$RoleArn </span><span class="pun">=</span> <span class="str">"arn:aws:iam::${Account}:role/name"</span><span class="pln">
$Authtoken </span><span class="pun">=</span> <span class="pun">(</span><span class="typ">Use</span><span class="pun">-</span><span class="typ">STSRole</span> <span class="pun">-</span><span class="typ">Region</span><span class="pln"> eu</span><span class="pun">-</span><span class="pln">west</span><span class="pun">-</span><span class="lit">1</span> <span class="pun">-</span><span class="typ">RoleArn</span><span class="pln"> $Accounts </span><span class="pun">-</span><span class="typ">RoleSessionName</span> <span class="str">"name"</span> <span class="pun">-</span><span class="typ">TokenCode</span><span class="pln"> $MFAcode </span><span class="pun">-</span><span class="typ">SerialNumber</span><span class="pln"> $UserARN</span><span class="pun">).</span><span class="typ">Credentials</span><span class="pln">

foreach </span><span class="pun">(</span><span class="pln">$Region </span><span class="kwd">in</span><span class="pln"> $Regions</span><span class="pun">){</span>

    <span class="typ">Get</span><span class="pun">-</span><span class="pln">EC2SecurityGroup </span><span class="pun">-</span><span class="typ">Filter</span> <span class="pun">@{</span><span class="typ">Name</span><span class="pun">=</span><span class="str">"ip-permission.cidr"</span><span class="pun">;</span><span class="typ">Values</span><span class="pun">=</span><span class="str">"x.x.x.x/x"</span><span class="pun">}</span> <span class="pun">-</span><span class="typ">Region</span><span class="pln"> $Region </span><span class="pun">-</span><span class="typ">AccessKey</span><span class="pln"> $Authtoken</span><span class="pun">.</span><span class="typ">Credentials</span><span class="pun">.</span><span class="typ">AccessKeyId</span> <span class="pun">-</span><span class="typ">SecretKey</span><span class="pln"> $Authtoken</span><span class="pun">.</span><span class="typ">Credentials</span><span class="pun">.</span><span class="typ">SecretAccessKey</span> <span class="pun">-</span><span class="typ">SessionToken</span><span class="pln"> $Authtoken</span><span class="pun">.</span><span class="typ">Credentials</span><span class="pun">.</span><span class="typ">SessionToken</span>
<span class="pun">}</span>

}

jasonrobertson · September 5, 2019, 12:27pm

Hello Hiten,

Can you please confirm Line 22 is correct? I show you are using -RoleArn $Accounts not $Account. I also see you are are applying a value to $RoleARN multiple times as well. I’ve revamped the code below to make it easier to read by using splatting method.

foreach ($Account in $Accounts){
   $RoleArn="arn:aws:iam::${Account}:role/name"
   $STSRole=@{
      Region          = 'eu-west-1'
      RoleARN         = $Account
      RoleSessionName = "name"
      SerialNumber    = $UserARN
      TokenCode       = $MFAcode
   }
   $Authtoken= (Use-STSRole@STSRole).Credentials
   foreach ($Region in $Regions){
      $EC2SecurityGroup=@{
         Filter       = @{Name="ip-permission.cidr";Values="x.x.x.x/x"}
         Region       = $Region
         AccessKey    = $Authtoken.Credentials.AccessKeyId
         SecretKey    = $Authtoken.Credentials.SecretAccessKey
         SessionToken = $Authtoken.Credentials.SessionToken
   }
   Get-EC2SecurityGroup@EC2SecurityGroup
}
}

Topic		Replies	Views
AWS use-stsrole with MFA PowerShell Help	2	170	May 16, 2024
AWS - Copying file to S3 PowerShell Help	4	549	May 16, 2024
Powershell script for Azure PIM report not returning correct results PowerShell Help	1	210	May 16, 2024
Running Powershell script against all Azure subscriptions PowerShell Help	2	386	February 22, 2025
Creating a powershell script to take information from AWS and AZURE AD tags and input that into solarwinds PowerShell Help	4	661	February 10, 2024

Using Powershell to assume roles in different AWS accounts and regions using use

Related topics