#aws-security #aws-credentials #role #command-line-tool #temporary #generate #assume-role

bin+lib aws-assume-role-rs

A command line tool to generate AWS temporary security credentials

8 releases

0.1.7 Aug 9, 2024
0.1.6 Jun 28, 2024
0.1.5 May 27, 2024

#326 in Authentication

MIT license

38KB
680 lines

aws-assume-role-rs

This provides assume-role command to generate AWS temporary security credentials.

Installation

$ cargo binstall aws-assume-role-rs

or

$ cargo install aws-assume-role-rs

How to use

Command line options

$ assume-role --help
A command line tool to generate AWS temporary security credentials.

Usage: assume-role [OPTIONS] <--totp-secret <TOTP_SECRET>|--totp-code <TOTP_CODE>> [ARGS]...

Arguments:
  [ARGS]...  Commands to execute

Options:
      --aws-profile <AWS_PROFILE>      AWS profile name in AWS_CONFIG_FILE. This option is used to detect jump account information [env: AWS_PROFILE=]
  -p, --profile-name <PROFILE_NAME>    The profile name
  -r, --role-arn <ROLE_ARN>            The IAM Role ARN to assume [env: ROLE_ARN=]
  -c, --config <CONFIG>                The config file. default: $HOME/.aws/config.toml
                                       Load the first of the following files found:
                                         1. the file specified by this option
                                         2. $HOME/.aws/config.toml
                                         3. $HOME/.aws/config
  -d, --duration <DURATION>            The duration in seconds of the role session. (900-43200)
                                       The following suffixes are available:
                                         "s": seconds
                                         "m": minutes
                                         "h": hours
                                       No suffix means seconds. [default: 1h]
  -n, --serial-number <SERIAL_NUMBER>  MFA device ARN such as arn:aws:iam::123456789012/mfa/user [env: SERIAL_NUMBER=]
  -s, --totp-secret <TOTP_SECRET>      The base32 format TOTP secret [env: TOTP_SECRET=]
  -t, --totp-code <TOTP_CODE>          The TOTP code generated by other tool [env: TOTP_CODE=]
  -f, --format <FORMAT>                Output format [possible values: json, bash, zsh, fish, power-shell]
  -v, --verbose                        Print verbose logs
  -h, --help                           Print help
  -V, --version                        Print version

The priority to find role ARN

  1. --role-arn option
  2. Find by --profile-name option from a configuration file
  3. Select role ARN from a list loaded from a configuration file in an interactive UI

The priority of configuration files

  1. --config option
  2. $HOME/.aws/config.toml
  3. $HOME/.aws/config

The priority to find jump account

Such as AWS credentials, serial number, and, TOTP secrets.

  1. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, SERIAL_NUMBER, TOTP_SECRET)
  2. INI format file specified by --config option and --aws-profile option
  3. Load credentials according to aws_config's default rule

Set up

Create $HOME/.aws/config.toml:

[profile.test]
role_arn = "arn:aws:iam::123456789012:role/Developer"

[profile.test-admin]
role_arn = "arn:aws:iam::123456789012:role/PowerUserRole"

[profile.production-viewer]
role_arn = "arn:aws:iam::123456789876:role/Viewer"

[profile.production-maintainer]
role_arn = "arn:aws:iam::123456789876:role/Maintainer"

The TOML format only supports sections with the key role_arn.

or create $HOME/.aws/config:

[profile jump]
region = ap-northeast-1
serial_number = arn:aws:iam::987654321234:mfa/serialnumber

[profile jump2]
region = ap-northeast-1

[profile test]
role_arn = arn:aws:iam::123456789012:role/Developer

[profile test-admin]
role_arn = arn:aws:iam::123456789012:role/PowerUserRole

[profile production-viewer]
role_arn = arn:aws:iam::123456789876:role/Viewer

[profile production-maintainer]
role_arn = arn:aws:iam::123456789876:role/Maintainer

The INI file format ignores all sections that do not have property role_arn to find role_arn.

Interactive mode

Set environment variables SERIAL_NUMBER and TOTP_SECRET. Or, you can set --serial-number and --totp-secret.

You can select the profile interactively in your configuration file.

$ env AWS_PROFILE=jump SERIAL_NUMBER="..." TOTP_SECRET="..." assume-role aws s3 ls
# same as the avobe using command line options
$ env AWS_PROFILE=jump assume-role --serial-number "..." --totp-secret "..." aws s3 ls

You can set TOTP_CODE generated by other tool via command line option (--totp-code) or environment variable (TOTP_CODE) instead of TOTP_SECRET.

$ env AWS_PROFILE=jump SERIAL_NUMBER="..." TOTP_CODE="..." assume-role aws s3 ls
# same as the avobe using command line options
$ env AWS_PROIFLE=jump assume-role --serial-number="..." --totp-code="..." assume-role aws s3 ls

Non-interactive mode

You can use --profile option to specify role ARN.

$ AWS_PROFILE=jump assume-role --profile-name test --totp-secret "..." aws s3 ls
or
$ assume-role --aws-profile=jump --profile-name=test --totp-code=123456 aws s3 ls

You can use --role-arn option to specify role ARN directly.

$ AWS_PROFILE=jump2 assume-role --role-arn arn:aws:iam::123456789012:role/Developer --serial-number "..." --totp-secret "..." aws s3 ls

Use with envchain

Your can use this assume-role command with sorah/envchain or okkez/envchain-rs.

Store secrets in secret service or keychain.

$ envchain --set jump AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_REGION SERIAL_NUMBER TOTP_SECRET
# ... input secret values
$ envchain jump assume-role -p test-admin aws s3 ls

Set environment variables

You can set environment variables.

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • AWS_SESSION_TOKEN
  • AWS_EXPIRATION

Bash

eval $(envchain jump -p test-admin --format bash)

Zsh

eval $(envchain jump -p test-admin --format zsh)

Fish

eval (envchain jump -p test-admin --format fish)

License

MIT License

Dependencies

~27–44MB
~672K SLoC