assume-role

command module

v0.4.1 Latest Latest Go to latest Published: Oct 22, 2020 License: BSD-2-Clause Imports: 1 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/danielthank/assume-role

Links

Open Source Insights

README ¶

This tool will request and set temporary credentials in your shell environment variables for a given role.

Installation

On OS X, the best way to get it is to use homebrew:

brew install danielthank/tap/assume-role

If you have a working Go environment:

$ go get -u github.com/danielthank/assume-role

On Windows with PowerShell, you can use scoop.sh

$ scoop bucket add extras
$ scoop install assume-role

Configuration

Setup a profile for each role you would like to assume in ~/.aws/config.

For example:

~/.aws/config:

[profile chin.yenru]
region = ap-northeast-1
output = json

[profile stage]
# Stage AWS Account.
region = ap-northeast-1
role_arn = arn:aws:iam::1234:role/DeveloperAdministrator
mfa_serial = arn:aws:iam::9012:mfa/chin.yenru
source_profile = chin.yenru

[profile prod]
# Production AWS Account.
region = ap-northeast-1
role_arn = arn:aws:iam::5678:role/DeveloperAdministrator
mfa_serial = arn:aws:iam::9012:mfa/chin.yenru
source_profile = chin.yenru

~/.aws/credentials:

[chin.yenru]
aws_access_key_id = AKIMYFAKEEXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/MYxFAKEYEXAMPLEKEY

Reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html

In this example, we have three AWS Account profiles:

chin.yenru
stage
prod

Each member of the org has their own IAM user and access/secret key for the chin.yenru AWS Account. The keys are stored in the ~/.aws/credentials file.

The stage and prod AWS Accounts have an IAM role named DeveloperAdministrator. The assume-role tool helps a user authenticate (using their keys) and then assume the privilege of the DeveloperAdministrator role, even across AWS accounts!

Usage

assume-role will output the temporary security credentials:

$ assume-role -r stage
export AWS_ACCESS_KEY_ID="ASIAI....UOCA"
export AWS_SECRET_ACCESS_KEY="DuH...G1d"
export AWS_SESSION_TOKEN="AQ...1BQ=="
export AWS_SECURITY_TOKEN="AQ...1BQ=="
export ASSUMED_ROLE="prod"
# Run this to configure your shell:
# eval $(assume-role prod)

If the role requires MFA, you will be asked for the token first:

$ assume-role -r stage
MFA code: 123456

Or windows PowerShell:

$env:AWS_ACCESS_KEY_ID="ASIAI....UOCA"
$env:AWS_SECRET_ACCESS_KEY="DuH...G1d"
$env:AWS_SESSION_TOKEN="AQ...1BQ=="
$env:AWS_SECURITY_TOKEN="AQ...1BQ=="
$env:ASSUMED_ROLE="prod"
# Run this to configure your shell:
# assume-role.exe prod | Invoke-Expression

If you use eval $(assume-role) frequently, you may want to create a alias for it:

zsh

alias assume-role='function(){eval $(command assume-role $@);}'

bash

function assume-role { eval $( $(which assume-role) $@); }

Check assume-role -h for other usage

Usage:
  assume-role [flags]

Flags:
  -d, --duration duration   The duration that the credentials will be valid for (default 1h0m0s)
  -h, --help                help for assume-role
  -o, --output string       Output format (default "bash")
  -r, --role string         Role to be switched to

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
cmd

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL