Skip to main content

awscli-bastion extends the awscli by managing mfa protected short-lived credentials for an aws bastion account.

Project description

awscli_bastion

https://img.shields.io/pypi/v/awscli_bastion.svg https://img.shields.io/travis/aidanmelen/awscli_bastion.svg Documentation Status Updates

awscli-bastion extends the awscli by managing mfa protected short-lived credentials for an AWS Bastion account.

https://raw.githubusercontent.com/aidanmelen/awscli_bastion/master/docs/awscli-bastion.png

Install

$ pip install awscli-bastion

Configure

  1. Ensure that your AWS Bastion account is configured to use multi-factor authentication and iam roles.

  2. Ensure the awscli is configured as follows:

~/.aws/credentials:

# stores long-lived iam user credentials from the bastion account
# these are fake credentials
[bastion]
aws_access_key_id = ASIA554SXDVIHKO5ACW2
aws_secret_access_key = VLJQKLEqs37HCDG4HgSDrxl1vLNrk9Is8gm0VNfA

# stores short-lived sts.get_session_token() credentials for the bastion account
[bastion-sts]
mfa_serial = arn:aws:iam::123456789012:mfa/aidan-melen
credential_process = bastion get-session-token
source_profile = bastion

# assume role profiles store short-lived sts.assume_role() credentials
[dev-admin]
role_arn = arn:aws:iam::234567890123:role/admin
source_profile = bastion-sts

[stage-poweruser]
role_arn = arn:aws:iam::345678901234:role/poweruser
source_profile = bastion-sts

[prod-spectator]
role_arn = arn:aws:iam::456789012345:role/spectator
source_profile = bastion-sts

~/.aws/config:

[default]
region = us-west-2
output = json

Usage

Run aws commands normally and the credential_process, role_arn, and source_profile will handle the rest:

$ aws sts get-caller-identity --profile dev-admin
Enter MFA code for arn:aws:iam::123456789012:mfa/aidan-melen:
{
    "UserId": "AAAAAAAAAAAAAAAAAAAAA:botocore-session-1234567890",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::234567890123:assumed-role/admin/botocore-session-1234567890"
}

$ aws sts get-caller-identity --profile stage
{
    "UserId": "BBBBBBBBBBBBBBBBBBBBB:botocore-session-2345678901",
    "Account": "345678901234",
    "Arn": "arn:aws:sts::345678901234:assumed-role/poweruser/botocore-session-2345678901"
}

$ aws sts get-caller-identity --profile prod
{
    "UserId": "CCCCCCCCCCCCCCCCCCCCC:botocore-session-3456789012",
    "Account": "456789012345",
    "Arn": "arn:aws:sts::456789012345:assumed-role/spectator/botocore-session-3456789012"
}

You will only be prompted for the mfa code when the cached bastion-sts credentials expire.

Special Usage

The bastion sub-commands support writing credentials to the ~/.aws/credentials file in addition to the ~/.aws/cli/cache directory. This is required for tools such as terraform that do not support the awscli cache.

Configure the aws bastion alias sub-command in the ~/.aws/cli/alias to automate the steps for each profile:

[toplevel]

bastion =
    !f() {
        if [ $# -eq 0 ]
        then
            bastion get-session-token --write-to-aws-shared-credentials-file
        else
            bastion get-session-token --write-to-aws-shared-credentials-file --mfa-code $1
        fi
        bastion assume-role dev-admin
        bastion assume-role stage-poweruser
        bastion assume-role prod-spectator
        echo "Successfully assumed roles in all AWS accounts!"
    }; f

Write sts credentials to the aws shared credentials with our aws bastion alias command:

$ aws bastion
Enter MFA code for arn:aws:iam::123456789012:mfa/aidan-melen:
Setting the 'bastion-sts' profile with sts get session token credentials.
Setting the 'dev-admin' profile with sts assume role credentials.
Setting the 'stage-poweruser' profile with sts assume role credentials.
Setting the 'prod-spectator' profile with sts assume role credentials.
Successfully assumed roles in all AWS accounts!

Now your bastion-sts and assume role profiles will be populated with sts credentials.

Bastion Minimal

If you are like me, you do not trust open-source tools and libraries to handle admin credentials for your aws accounts. awscli_bastion/minimal.py is written as a script that offers minimal bastion functionality. It is intended to be quick and easy to understand. A minimal number of python libraries are used to reduce security risks.

Configure the aws bastion-minimal alias sub-command in the ~/.aws/cli/alias to automate the steps for each profile:

[toplevel]

bastion-minimal =
    !f() {
        TOKEN_CODE=$1

        bastion-minimal dev-admin $TOKEN_CODE
        bastion-minimal stage-poweruser
        bastion-minimal prod-spectator

        if [ $? == 0 ]
        then
            echo "Successfully assumed roles in all AWS accounts!"
        else
            echo "Failed to assumed roles in all AWS accounts :("
        fi
    }; f

Write sts credentials to the ~/.aws/credentials file with our aws bastion-minimal alias command:

$ aws bastion-minimal 123456
Setting the 'bastion-sts' profile with sts get session token credentials.
Setting the 'dev-admin' profile with sts assume role credentials.
Setting the 'stage-poweruser' profile with sts assume role credentials.
Setting the 'prod-spectator' profile with sts assume role credentials.
Successfully assumed roles in all AWS accounts!

Now your bastion-sts and assume role profiles will be populated with sts credentials.

Credits

This package was created with Cookiecutter and the audreyr/cookiecutter-pypackage project template.

History

0.1.0 (2019-09-13)

  • First release on PyPI.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

awscli_bastion-0.7.0.tar.gz (49.0 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page