awscli_bastion

https://img.shields.io/pypi/v/awscli_bastion.svg https://img.shields.io/travis/aidanmelen/awscli_bastion.svg Documentation Status Updates

awscli-bastion extends the awscli by managing mfa protected short-lived credentials for an AWS Bastion account.

https://raw.githubusercontent.com/aidanmelen/awscli_bastion/master/docs/awscli-bastion.png

Install

$ pip install awscli-bastion

Configure

  1. Ensure that your AWS Bastion account is configured to use multi-factor authentication and iam roles.
  2. Ensure the awscli is configured as follows:

~/.aws/credentials:

# these are fake credentials
[bastion]
aws_access_key_id = ASIA554SXDVIHKO5ACW2
aws_secret_access_key = VLJQKLEqs37HCDG4HgSDrxl1vLNrk9Is8gm0VNfA

[bastion-sts]
mfa_serial = arn:aws:iam::123456789012:mfa/aidan-melen
credential_process = bastion get-session-token
source_profile = bastion

[dev-admin]
role_arn = arn:aws:iam::234567890123:role/admin
source_profile = bastion-sts

[stage-poweruser]
role_arn = arn:aws:iam::345678901234:role/poweruser
source_profile = bastion-sts

[prod-spectator]
role_arn = arn:aws:iam::456789012345:role/spectator
source_profile = bastion-sts

~/.aws/config:

[default]
region = us-west-2
output = json

Usage

Run aws commands normally and the credential_process, role_arn, and source_profile will handle the rest:

$ aws sts get-caller-identity --profile dev-admin
Enter MFA code for arn:aws:iam::123456789012:mfa/aidan-melen:
{
    "UserId": "AAAAAAAAAAAAAAAAAAAAA:botocore-session-1234567890",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::234567890123:assumed-role/admin/botocore-session-1234567890"
}

$ aws sts get-caller-identity --profile stage
{
    "UserId": "BBBBBBBBBBBBBBBBBBBBB:botocore-session-2345678901",
    "Account": "345678901234",
    "Arn": "arn:aws:sts::345678901234:assumed-role/poweruser/botocore-session-2345678901"
}

$ aws sts get-caller-identity --profile prod
{
    "UserId": "CCCCCCCCCCCCCCCCCCCCC:botocore-session-3456789012",
    "Account": "456789012345",
    "Arn": "arn:aws:sts::456789012345:assumed-role/spectator/botocore-session-3456789012"
}

You will only be prompted for the mfa code when the cached bastion-sts credentials expire.

Special Usage

The bastion sub-commands support writing credentials to the ~/.aws/credentials file in addition to the ~/.aws/cli/cache directory. This is required for tools such as terraform that do not support the awscli cache.

Configure the aws bastion alias sub-command in the ~/.aws/cli/alias to automate the steps for each profile:

[toplevel]

bastion =
    !f() {
        if [ $# -eq 0 ]
        then
            bastion get-session-token --write-to-aws-shared-credentials-file
        else
            bastion get-session-token --write-to-aws-shared-credentials-file --mfa-code $1
        fi
        bastion assume-role dev-admin
        bastion assume-role stage-poweruser
        bastion assume-role prod-spectator
        echo "Successfully assumed roles in all AWS accounts!"
    }; f

Write sts credentials to the aws shared credentials with our aws bastion alias command:

$ aws bastion
Enter MFA code for arn:aws:iam::123456789012:mfa/aidan-melen:
Setting the 'bastion-sts' profile with sts get session token credentials.
Setting the 'dev-admin' profile with sts assume role credentials.
Setting the 'stage-poweruser' profile with sts assume role credentials.
Setting the 'prod-spectator' profile with sts assume role credentials.
Successfully assumed roles in all AWS accounts!

Now your bastion-sts and assume role profiles will be populated with sts credentials.

Bastion Minimal

If you are like me, you do not trust open-source tools and libraries to handle admin credentials for your aws accounts. awscli_bastion/minimal.py is written as a script that offers minimal bastion functionality. It is intended to be quick and easy to understand. A minimal number of python libraries are used to reduce security risks.

Configure the aws bastion-minimal alias sub-command in the ~/.aws/cli/alias to automate the steps for each profile:

[toplevel]

bastion-minimal =
    !f() {
        TOKEN_CODE=$1

        bastion-minimal dev-admin $TOKEN_CODE
        bastion-minimal stage-poweruser
        bastion-minimal prod-spectator

        if [ $? == 0 ]
        then
            echo "Successfully assumed roles in all AWS accounts!"
        else
            echo "Failed to assumed roles in all AWS accounts :("
        fi
    }; f

Write sts credentials to the ~/.aws/credentials file with our aws bastion-minimal alias command:

$ aws bastion-minimal 123456
Setting the 'bastion-sts' profile with sts get session token credentials.
Setting the 'dev-admin' profile with sts assume role credentials.
Setting the 'stage-poweruser' profile with sts assume role credentials.
Setting the 'prod-spectator' profile with sts assume role credentials.
Successfully assumed roles in all AWS accounts!

Now your bastion-sts and assume role profiles will be populated with sts credentials.

Credits

This package was created with Cookiecutter and the audreyr/cookiecutter-pypackage project template.