awscli_bastion extends the awscli by managing mfa protected short-lived credentials.
Project description
awscli_bastion
awscli_bastion extends the awscli by managing mfa protected short-lived credentials.
Free software: Apache Software License 2.0
Documentation: https://awscli-bastion.readthedocs.io.
Install
$ pip install awscli-bastion
Configure
Ensure that your AWS Bastion account is configured with mfa-protected api access.
Ensure the awscli is configured as follows:
~/.aws/credentials:
# stores long-lived iam user credentials from the bastion account # these are fake credentials [bastion] aws_access_key_id = ASIA554SXDVIHKO5ACW2 aws_secret_access_key = VLJQKLEqs37HCDG4HgSDrxl1vLNrk9Is8gm0VNfA # stores short-lived sts.get_session_token() credentials for the bastion account [bastion-sts] mfa_serial = arn:aws:iam::123456789012:mfa/aidan-melen credential_process = bastion get-session-token source_profile = bastion # assume role profiles store short-lived sts.assume_role() credentials [dev-admin] role_arn = arn:aws:iam::234567890123:role/admin source_profile = bastion-sts [stage-poweruser] role_arn = arn:aws:iam::345678901234:role/poweruser source_profile = bastion-sts [prod-spectator] role_arn = arn:aws:iam::456789012345:role/spectator source_profile = bastion-sts
~/.aws/config:
[default] region = us-west-2 output = json
Usage
Run awscli commands normally and the configured bastion credential_process as well as the combination of role_arn and source_profile will handle the rest:
$ aws sts get-caller-identity --profile dev-admin
Enter MFA code for arn:aws:iam::123456789012:mfa/aidan-melen:
{
"UserId": "AAAAAAAAAAAAAAAAAAAAA:botocore-session-1234567890",
"Account": "123456789012",
"Arn": "arn:aws:sts::234567890123:assumed-role/admin/botocore-session-1234567890"
}
$ aws sts get-caller-identity --profile stage
{
"UserId": "BBBBBBBBBBBBBBBBBBBBB:botocore-session-2345678901",
"Account": "345678901234",
"Arn": "arn:aws:sts::345678901234:assumed-role/poweruser/botocore-session-2345678901"
}
$ aws sts get-caller-identity --profile prod
{
"UserId": "CCCCCCCCCCCCCCCCCCCCC:botocore-session-3456789012",
"Account": "456789012345",
"Arn": "arn:aws:sts::456789012345:assumed-role/spectator/botocore-session-3456789012"
}
If the bastion-sts credentials cache is expired, you will be prompted for your MFA code to new sts credentials.
Force the renewal of the bastion-sts credentials cache:
# these are fake credentials
$ bastion get-session-token --mfa-code 123456
{
"AccessKeyId": "ASIA554SXXVIYYQRGGER",
"SecretAccessKey": "aw5/hbwzGP31s2lfC3ZQshKE+AZdlOYkqBUI4otp",
"SessionToken": "FQoGZXIvYXdHEY4aDDDbLp6g5sfNojzC6CKwAV+yefPfFg7y0xADMDECoddpj9WecBEReMtXkRjCVZfbSa1604EIK2q0zshlsP0PtF0e5wBZFDuZHTI464EpSQEXkJajksWeMMOe7PSzyJOX5Zqp8ve4ItHoE70tGxIVQjA06NbvodNjjOO/gsbDAcKHW1rx9wnq3RJ+dQbqqNq01R1vrDvTjxDNTrZr2wYI2qYrd9REP+mc44EeIO+3r0iuiwxRCL1UzS/4nG4IRYG2KMeo9esF",
"Expiration": "2019-09-15T08:57:43+00:00",
"Version": 1
}
Override the default profile with attributes from an assume role profile:
$ bastion set-default dev-admin
Setting the 'default' profile with attributes from the 'dev-admin' profile.
$ aws sts get-caller-identity
{
"UserId": "AAAAAAAAAAAAAAAAAAAAA:botocore-session-1234567890",
"Account": "123456789012",
"Arn": "arn:aws:sts::234567890123:assumed-role/admin/botocore-session-1234567890"
}
Special Usage
awscli-bastion also supports writing sts credentials to the aws shared credential file.
Configure ~/.aws/cli/alias to automate these steps for each profile:
[toplevel]
auth =
!f() {
if [ $# -eq 0 ]
then
bastion get-session-token --write-to-shared-credentials-file
else
bastion get-session-token --write-to-shared-credentials-file --mfa-code $1
fi
bastion assume-role dev-admin
bastion assume-role stage-poweruser
bastion assume-role prod-spectator
echo "Successfully assumed roles in all AWS accounts!"
}; f
Write sts credentials to the aws shared credentials with our aws auth alias command:
$ aws auth Enter MFA code for arn:aws:iam::123456789012:mfa/aidan-melen: Setting the 'bastion-sts' profile with sts get session token credentials. Setting the 'dev-admin' profile with sts assume role credentials. Setting the 'stage-poweruser' profile with sts assume role credentials. Setting the 'prod-spectator' profile with sts assume role credentials. Successfully assumed roles in all AWS accounts!
Now your bastion-sts and assume role profiles will be populated with sts credentials.
We can clear the cached sts credentials with:
$ bastion clear-cache Clearing the bastion-sts credential cache: - Deleted the '~/.aws/cli/cache/bastion-sts.json' file. Clearing sts credentials from the aws shared credentials file: - Skipping the 'bastion' profile because it may contain long-lived credentials. - STS credentials were removed from the bastion-sts profile. - STS credentials were removed from the dev profile. - STS credentials were removed from the stage profile. - STS credentials were removed from the prod profile.
Credits
This package was created with Cookiecutter and the audreyr/cookiecutter-pypackage project template.
History
0.1.0 (2019-09-13)
First release on PyPI.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file awscli_bastion-0.5.0.macosx-10.14-x86_64.tar.gz.
File metadata
- Download URL: awscli_bastion-0.5.0.macosx-10.14-x86_64.tar.gz
- Upload date:
- Size: 13.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.14.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.35.0 CPython/3.7.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f8473a6a7ecd49d0c12bf1bd7aa6c9a8e37799ffa817eb8ef91617b5d863a65e
|
|
| MD5 |
3c3757b76545c925dde627561f8ece92
|
|
| BLAKE2b-256 |
4adabcc3b7a60bc51f99a36ecaf61e28e7c0c76f52f00eb16dfabc0ce0dfa602
|
