First log in to AWS using your default credentials:

$ aws_adfs_auth
Username: <ntid>
Password: <password>

<<ROLE SELECTION>>

Update your AWS credentials file and add a new profile

In this example we want to test the capabilites of an AMS service so we'll create a new block in ~/.aws/credentials that looks like:

[ams_service]
role_arn = arn:aws:iam::794055897284:role/LambdaCreated/ECSTaskRun
source_profile = saml

Set your AWS_PROFILE to ams_service:

$ export AWS_PROFILE=ams_service

Verify that you have assumed the role:

aws sts get-caller-identity

Testing Pulls from another repository

We want to pull an image from 756134506823.dkr.ecr.us-east-1.amazonaws.com/xh-cloud/alpine-oracle-java:8-server-jre-181b13 (in test01) using a role from int01. The ECR repository should have a policy that looks like:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "pod_access",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::899712721709:root",
                    "arn:aws:iam::794055897284:root"
                ]
            },
            "Action": [
                "ecr:ListImages",
                "ecr:DescribeRepositories",
                "ecr:DescribeImages",
                "ecr:GetRepositoryPolicy",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ]
        }
    ]
}

$(aws ecr get-login --registry-ids 756134506823 --no-include-email --region us-east-1)

and test a pull:

docker pull 756134506823.dkr.ecr.us-east-1.amazonaws.com/xh-cloud/alpine-oracle-java:8-server-jre-181b13