awscli_bastion¶
- Free software: Apache Software License 2.0
- Documentation: https://awscli-bastion.readthedocs.io.
awscli-bastion extends the awscli by managing mfa protected short-lived credentials for an AWS Bastion account.
Install¶
$ pip install awscli-bastion
Configure¶
- Ensure that your AWS Bastion account is configured to use multi-factor authentication and iam roles.
- Ensure the
awscli
is configured as follows:
~/.aws/credentials:
# these are fake credentials
[bastion]
aws_access_key_id = ASIA554SXDVIHKO5ACW2
aws_secret_access_key = VLJQKLEqs37HCDG4HgSDrxl1vLNrk9Is8gm0VNfA
[bastion-sts]
mfa_serial = arn:aws:iam::123456789012:mfa/aidan-melen
credential_process = bastion get-session-token
source_profile = bastion
[dev-admin]
role_arn = arn:aws:iam::234567890123:role/admin
source_profile = bastion-sts
[stage-poweruser]
role_arn = arn:aws:iam::345678901234:role/poweruser
source_profile = bastion-sts
[prod-spectator]
role_arn = arn:aws:iam::456789012345:role/spectator
source_profile = bastion-sts
~/.aws/config:
[default]
region = us-west-2
output = json
Usage¶
Run aws
commands normally and the credential_process, role_arn, and source_profile will handle the rest:
$ aws sts get-caller-identity --profile dev-admin
Enter MFA code for arn:aws:iam::123456789012:mfa/aidan-melen:
{
"UserId": "AAAAAAAAAAAAAAAAAAAAA:botocore-session-1234567890",
"Account": "123456789012",
"Arn": "arn:aws:sts::234567890123:assumed-role/admin/botocore-session-1234567890"
}
$ aws sts get-caller-identity --profile stage
{
"UserId": "BBBBBBBBBBBBBBBBBBBBB:botocore-session-2345678901",
"Account": "345678901234",
"Arn": "arn:aws:sts::345678901234:assumed-role/poweruser/botocore-session-2345678901"
}
$ aws sts get-caller-identity --profile prod
{
"UserId": "CCCCCCCCCCCCCCCCCCCCC:botocore-session-3456789012",
"Account": "456789012345",
"Arn": "arn:aws:sts::456789012345:assumed-role/spectator/botocore-session-3456789012"
}
You will only be prompted for the mfa code when the cached bastion-sts credentials expire.
Special Usage¶
The bastion
sub-commands support writing credentials to the ~/.aws/credentials file in addition to the ~/.aws/cli/cache directory.
This is required for tools such as terraform that do not support the awscli cache.
Configure the aws bastion
alias sub-command in the ~/.aws/cli/alias to automate the steps for each profile:
[toplevel]
bastion =
!f() {
if [ $# -eq 0 ]
then
bastion get-session-token --write-to-aws-shared-credentials-file
else
bastion get-session-token --write-to-aws-shared-credentials-file --mfa-code $1
fi
bastion assume-role dev-admin
bastion assume-role stage-poweruser
bastion assume-role prod-spectator
echo "Successfully assumed roles in all AWS accounts!"
}; f
Write sts credentials to the aws shared credentials with our aws bastion
alias command:
$ aws bastion
Enter MFA code for arn:aws:iam::123456789012:mfa/aidan-melen:
Setting the 'bastion-sts' profile with sts get session token credentials.
Setting the 'dev-admin' profile with sts assume role credentials.
Setting the 'stage-poweruser' profile with sts assume role credentials.
Setting the 'prod-spectator' profile with sts assume role credentials.
Successfully assumed roles in all AWS accounts!
Now your bastion-sts and assume role profiles will be populated with sts credentials.
Bastion Minimal¶
If you are like me, you do not trust open-source tools and libraries to handle admin credentials for your aws accounts. awscli_bastion/minimal.py is written as a script that offers minimal bastion functionality. It is intended to be quick and easy to understand. A minimal number of python libraries are used to reduce security risks.
Configure the aws bastion-minimal
alias sub-command in the ~/.aws/cli/alias to automate the steps for each profile:
[toplevel]
bastion-minimal =
!f() {
TOKEN_CODE=$1
bastion-minimal dev-admin $TOKEN_CODE
bastion-minimal stage-poweruser
bastion-minimal prod-spectator
if [ $? == 0 ]
then
echo "Successfully assumed roles in all AWS accounts!"
else
echo "Failed to assumed roles in all AWS accounts :("
fi
}; f
Write sts credentials to the ~/.aws/credentials file with our aws bastion-minimal
alias command:
$ aws bastion-minimal 123456
Setting the 'bastion-sts' profile with sts get session token credentials.
Setting the 'dev-admin' profile with sts assume role credentials.
Setting the 'stage-poweruser' profile with sts assume role credentials.
Setting the 'prod-spectator' profile with sts assume role credentials.
Successfully assumed roles in all AWS accounts!
Now your bastion-sts and assume role profiles will be populated with sts credentials.
Credits¶
This package was created with Cookiecutter and the audreyr/cookiecutter-pypackage project template.