README
¶
aws-exec-cmd 
aws-exec-cmd acquires AWS credentials and runs an arbitrary command, providing it credentials through environment variables. It acquires credentials from the environment, IAM roles (with AssumeRole chaining), or Cognito identity pools.
Use Case
Use authenticated commands with credential providers they do not natively support, e.g. EC2 instance role.
Usage
To install:
go get -v github.com/codeactual/aws-exec-cmd/cmd/aws-exec-cmd
Environment variables passed to commands:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_SESSION_TOKEN
Examples
Usage:
aws-exec-cmd --help
aws-exec-cmd role --help
aws-exec-cmd idp --help
Use the IAM role, attached to an EC2 instance, to run "env | grep AWS_":
aws-exec-cmd role --chain instance -- env | grep AWS_
Perform the same command but with credentials from role "backup" assumed from an EC2 instance role:
aws-exec-cmd role --chain instance,arn:aws:iam::123456789012:role/backup -- env | grep AWS_
Perform the same command but with credentials from role "backup" assumed from enviroment credentials:
aws-exec-cmd role --chain env-triple,arn:aws:iam::123456789012:role/backup -- env | grep AWS_
Perform the same command with credentials from Cognito identity pool, using federated Google auth:
aws-exec-cmd idp \
--name accounts.google.com \
--pool-id <pool ID> \
--refresh <Google OAuth refresh token> \
--client-id <Google OAuth client ID> \
--client-secret <Google OAuth client secret>
Supported AssumeRole chaining:
- environment variable credentials ->
AssumeRole[->AssumeRole...] - role (temporary credentials from STS) ->
AssumeRole[->AssumeRole...]
Travis CI
Config
- Generate AWS API credentials which will be added to the config file as encrypted environment variables.
- travis-iam-assume-role.json grants permissions to assume the role. For example, attach this to your Travis-dedicated IAM user.
- The Travis CI IP addresses in the policy conditions may be out-of-date.
- travis-iam-resource.json grants permissions to the role to access the resource.
- travis-iam-assume-role.json grants permissions to assume the role. For example, attach this to your Travis-dedicated IAM user.
- To configure the environment variables used by the functional test against the EC2 API, use the Travis CLI to generate the
securestring value.- Each
envitem expects all key/value pairs as one string, and multiple items define multiple build permutations so that all pair sets are tested. Input an entire set, e.g.AWS_ACCESS_KEY_ID=... AWS_SECRET_ACCESS_KEY=... ROLE_ARN=..., in theencryptcommand. - Launch
travisin interactive mode-iand input the pair set without trailing newline.
- Each
Development
License
Mozilla Public License Version 2.0 (About, FAQ)
Contributing
- Please feel free to submit issues, PRs, questions, and feedback.
- Although this repository consists of snapshots extracted from a private monorepo using transplant, PRs are welcome. Standard GitHub workflows are still used.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
aws-exec-cmd
Command aws-exec-cmd acquires AWS credentials and runs an arbitrary command, providing it credentials through environment variables.
|
Command aws-exec-cmd acquires AWS credentials and runs an arbitrary command, providing it credentials through environment variables. |
|
internal
|
|
|
cage/cmd/testecho
Package testecho assists execution of the CLI from test cases and assertion of its result.
|
Package testecho assists execution of the CLI from test cases and assertion of its result. |