- Notifications
You must be signed in to change notification settings - Fork105
Easily assume AWS roles in your terminal.
License
remind101/assume-role
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
This tool will request and set temporary credentials in your shell environment variables for a given role.
On OS X, the best way to get it is to use homebrew:
brew install remind101/formulae/assume-role
If you have a working Go 1.6/1.7 environment:
$ go get -u github.com/remind101/assume-role
On Windows with PowerShell, you can usescoop.sh
$ scoop bucket add extras$ scoop install assume-role
Setup a profile for each role you would like to assume in~/.aws/config.
For example:
~/.aws/config:
[profile usermgt]region = us-east-1[profile stage]# Stage AWS Account.region = us-east-1role_arn = arn:aws:iam::1234:role/SuperUsersource_profile = usermgt[profile prod]# Production AWS Account.region = us-east-1role_arn = arn:aws:iam::9012:role/SuperUsermfa_serial = arn:aws:iam::5678:mfa/eric-holmessource_profile = usermgt
~/.aws/credentials:
[usermgt]aws_access_key_id = AKIMYFAKEEXAMPLEaws_secret_access_key = wJalrXUtnFEMI/K7MDENG/MYxFAKEYEXAMPLEKEY
Reference:https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
In this example, we have three AWS Account profiles:
- usermgt
- stage
- prod
Each member of the org has their own IAM user and access/secret key for theusermgt AWS Account.The keys are stored in the~/.aws/credentials file.
Thestage andprod AWS Accounts have an IAM role namedSuperUser.Theassume-role tool helps a user authenticate (using their keys) and then assume the privilege of theSuperUser role, even across AWS accounts!
Perform an action as the given IAM role:
$ assume-role stage aws iam get-user
Theassume-role tool setsAWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY andAWS_SESSION_TOKEN environment variables and then executes the command provided.
If the role requires MFA, you will be asked for the token first:
$ assume-role prod aws iam get-userMFA code: 123456
If no command is provided,assume-role will output the temporary security credentials:
$ assume-role prodexport AWS_ACCESS_KEY_ID="ASIAI....UOCA"export AWS_SECRET_ACCESS_KEY="DuH...G1d"export AWS_SESSION_TOKEN="AQ...1BQ=="export AWS_SECURITY_TOKEN="AQ...1BQ=="export ASSUMED_ROLE="prod"# Run this to configure your shell:# eval $(assume-role prod)
Or windows PowerShell:
$env:AWS_ACCESS_KEY_ID="ASIAI....UOCA"$env:AWS_SECRET_ACCESS_KEY="DuH...G1d"$env:AWS_SESSION_TOKEN="AQ...1BQ=="$env:AWS_SECURITY_TOKEN="AQ...1BQ=="$env:ASSUMED_ROLE="prod"# Run this to configure your shell:# assume-role.exe prod| Invoke-Expression
If you useeval $(assume-role) frequently, you may want to create a alias for it:
- zsh
alias assume-role='function(){eval $(command assume-role $@);}'
- bash
functionassume-role {eval$($(which assume-role)$@); }
- Cache credentials.
About
Easily assume AWS roles in your terminal.