> Unsure how one would obtain credentials for an IAM Role, but the above verbatim from the complaint.
You use your own credentials and issue an API call to do it. If you're using the AWS CLI, it's "aws sts assume-role".
We do something similar with our accounts. You can place a restriction on the role that an MFA token must be used while assuming the role, so this allows you to give out longer-term credentials to your devs/admins that can then be used (with an MFA token) to assume a more privileged role.
The role itself needs to be configured with a trust relationship that allows for this, and many roles are restricted to AWS services (i.e. you are authorizing an AWS service to assume the role--not a specific user). I've never used WAF before though, so I'm not sure if it's typical for the WAF role to have that trust relationship or not.
You use your own credentials and issue an API call to do it. If you're using the AWS CLI, it's "aws sts assume-role".
We do something similar with our accounts. You can place a restriction on the role that an MFA token must be used while assuming the role, so this allows you to give out longer-term credentials to your devs/admins that can then be used (with an MFA token) to assume a more privileged role.
The role itself needs to be configured with a trust relationship that allows for this, and many roles are restricted to AWS services (i.e. you are authorizing an AWS service to assume the role--not a specific user). I've never used WAF before though, so I'm not sure if it's typical for the WAF role to have that trust relationship or not.