Skip to main content

awscli_bastion extends the awscli by managing mfa protected short-lived credentials.

Project description

awscli_bastion

https://img.shields.io/pypi/v/awscli_bastion.svg https://img.shields.io/travis/aidanmelen/awscli_bastion.svg Documentation Status Updates

awscli_bastion extends the awscli by managing mfa protected short-lived credentials.

docs/awscli-bastion.png

Install

$ pip install awscli_bastion

Configure

~/.aws/credentials:

# (required) aws bastion profiles

[bastion] # these are fake credentials
aws_access_key_id = ASIA554SXDVIHKO5ACW2
aws_secret_access_key = VLJQKLEqs37HCDG4HgSDrxl1vLNrk9Is8gm0VNfA

[bastion-sts]
mfa_serial = arn:aws:iam::123456789012:mfa/aidan-melen
credential_process = bastion get-session-token
source_profile = bastion


# (optional) aws assume role profiles

[dev]
role_arn = arn:aws:iam::234567890123:role/admin
source_profile = bastion-sts

[stage]
role_arn = arn:aws:iam::345678901234:role/poweruser
source_profile = bastion-sts

[prod]
role_arn = arn:aws:iam::456789012345:role/spectator
source_profile = bastion-sts

~/.aws/config:

[default]
region = us-west-2
output = json

Usage

Run awscli commands normally and the bastion credential_process will handle the rest:

$ aws sts get-caller-identity --profile dev
Enter MFA code for arn:aws:iam::123456789012:mfa/aidan-melen:
{
    "UserId": "AAAAAAAAAAAAAAAAAAAAA:botocore-session-1234567890",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::234567890123:assumed-role/admin/botocore-session-1234567890"
}

$ aws sts get-caller-identity --profile stage
{
    "UserId": "BBBBBBBBBBBBBBBBBBBBB:botocore-session-2345678901",
    "Account": "345678901234",
    "Arn": "arn:aws:sts::345678901234:assumed-role/poweruser/botocore-session-2345678901"
}

$ aws sts get-caller-identity --profile prod
{
    "UserId": "CCCCCCCCCCCCCCCCCCCCC:botocore-session-3456789012",
    "Account": "456789012345",
    "Arn": "arn:aws:sts::456789012345:assumed-role/spectator/botocore-session-3456789012"
}

Renew the bastion-sts credentials cache:

# these are fake credentials
$ bastion get-session-token --mfa-code 123456
{
    "AccessKeyId": "ASIA554SXXVIYYQRGGER",
    "SecretAccessKey": "aw5/hbwzGP31s2lfC3ZQshKE+AZdlOYkqBUI4otp",
    "SessionToken": "FQoGZXIvYXdHEY4aDDDbLp6g5sfNojzC6CKwAV+yefPfFg7y0xADMDECoddpj9WecBEReMtXkRjCVZfbSa1604EIK2q0zshlsP0PtF0e5wBZFDuZHTI464EpSQEXkJajksWeMMOe7PSzyJOX5Zqp8ve4ItHoE70tGxIVQjA06NbvodNjjOO/gsbDAcKHW1rx9wnq3RJ+dQbqqNq01R1vrDvTjxDNTrZr2wYI2qYrd9REP+mc44EeIO+3r0iuiwxRCL1UzS/4nG4IRYG2KMeo9esF",
    "Expiration": "2019-09-15T08:57:43+00:00",
    "Version": 1
}

Replace default profile with assume_role profile:

$ bastion set-default dev
Setting the 'default' profile with attributes from the 'dev' profile.

$ aws sts get-caller-identity
{
    "UserId": "AAAAAAAAAAAAAAAAAAAAA:botocore-session-1234567890",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::234567890123:assumed-role/admin/botocore-session-1234567890"
}

Special Usage

Output how much time until the bastion-sts credentials expire:

$ bastion get-expiration-delta                                                                                                       0.3.0
The bastion-sts credentials will expire 11 hours from now.

Set the mfa serial number:

$ bastion set-mfa-serial
Setting the 'mfa_serial' attribute for the 'bastion-sts' profile.

Reset the bastion credentials cache:

$ bastion clear-cache
~/.aws/cli/cache/bastion-sts.json has been removed.

Write bastion-sts credentials to the aws shared credential file:

$ bastion get-session-token --write-to-shared-credentials-file --mfa-code 123456
Setting the 'bastion-sts' profile with sts credential attributes.

Write assume role sts credentials to the aws shared credential file:

$ bastion assume-role dev
Setting the 'dev' profile with assume role sts credential attributes.

Credits

This package was created with Cookiecutter and the audreyr/cookiecutter-pypackage project template.

History

0.1.0 (2019-09-13)

  • First release on PyPI.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

awscli_bastion-0.4.0.macosx-10.14-x86_64.tar.gz (10.5 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page