Untitled

### First log in to AWS using your default credentials:

```bash
$ aws_adfs_auth
Username: <ntid>
Password: <password>

<<ROLE SELECTION>>
```

### Update your AWS credentials file and add a new profile

In this example we want to test the capabilites of an AMS service so we'll create a new block in `~/.aws/credentials` that looks like:

```
[ams_service]
role_arn = arn:aws:iam::794055897284:role/LambdaCreated/ECSTaskRun
source_profile = saml
```

##### Set your AWS_PROFILE to ams_service:

```bash
$ export AWS_PROFILE=ams_service
```

##### Verify that you have assumed the role:

```bash
aws sts get-caller-identity
```


### Testing Pulls from another repository

We want to pull an image from `756134506823.dkr.ecr.us-east-1.amazonaws.com/xh-cloud/alpine-oracle-java:8-server-jre-181b13` (in test01) using a role from int01. The ECR repository should have a policy that looks like:

```
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "pod_access",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::899712721709:root",
                    "arn:aws:iam::794055897284:root"
                ]
            },
            "Action": [
                "ecr:ListImages",
                "ecr:DescribeRepositories",
                "ecr:DescribeImages",
                "ecr:GetRepositoryPolicy",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ]
        }
    ]
}
```

```bash
$(aws ecr get-login --registry-ids 756134506823 --no-include-email --region us-east-1)
```

and test a pull:

```bash
docker pull 756134506823.dkr.ecr.us-east-1.amazonaws.com/xh-cloud/alpine-oracle-java:8-server-jre-181b13
```