{"id":45978032,"url":"https://github.com/corbaltcode/kion","last_synced_at":"2026-02-28T17:07:58.158Z","repository":{"id":153917361,"uuid":"616664204","full_name":"corbaltcode/kion","owner":"corbaltcode","description":"App that automatically fetches credentials from Kion","archived":false,"fork":false,"pushed_at":"2024-04-19T18:37:39.000Z","size":42,"stargazers_count":9,"open_issues_count":3,"forks_count":1,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-04-22T00:20:01.585Z","etag":null,"topics":["aws","cloudtamer","kion","terraform"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/corbaltcode.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-03-20T20:44:54.000Z","updated_at":"2024-04-25T00:33:42.394Z","dependencies_parsed_at":"2024-04-25T00:33:34.929Z","dependency_job_id":"4cd24786-0a61-4f3d-9440-2183d2110028","html_url":"https://github.com/corbaltcode/kion","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/corbaltcode/kion","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corbaltcode%2Fkion","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corbaltcode%2Fkion/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corbaltcode%2Fkion/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corbaltcode%2Fkion/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/corbaltcode","download_url":"https://codeload.github.com/corbaltcode/kion/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corbaltcode%2Fkion/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29943810,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-28T13:49:17.081Z","status":"ssl_error","status_checked_at":"2026-02-28T13:48:50.396Z","response_time":90,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cloudtamer","kion","terraform"],"created_at":"2026-02-28T17:07:56.118Z","updated_at":"2026-02-28T17:07:57.233Z","avatar_url":"https://github.com/corbaltcode.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kion Tool\n\nThe Kion tool is a command-line app that automatically fetches credentials from [Kion](https://kion.io) (formerly cloudtamer) when you run commands such as `aws` and `terraform`. See [Scenario: Terraform](#scenario-terraform) for an example of how it works fully configured.\n\nThe tool has three primary subcommands:\n\n1. `credentials` – Creates and prints temporary AWS credentials in various formats\n2. `credential-process` – Acts as a [credential process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html), allowing the AWS CLI and tools such Terraform to transparently fetch credentials\n3. `console` – Opens the AWS console logged in to a certain account as a certain role\n\nFor help on a subcommand, run `kion help [subcommand]`. For a full list of subcommands, run `kion help`.\n\n## Installation\n\nInstall [Go 1.19 or above](https://go.dev/doc/install). Then:\n\n```\n$ go install github.com/corbaltcode/kion/cmd/kion@latest\n```\n\n## Setup\n\nRun `kion setup` to set up kion interactively. This subcommand asks for your Kion host, login info, and other settings and writes `~/.config/kion/config.yml` similar to the following:\n\n```yaml\napp-api-key-duration: 168h0m0s\nhost: kion.example.com\nidms: 1\nrotate-app-api-keys: true\nsession-duration: 1h0m0s\nusername: alice\n```\n\n## Fetching Credentials\n\nThe `credentials` subcommand fetches and prints credentials:\n\n```\n$ kion credentials --account-id 123412341234 --cloud-access-role my-role\n\naws_access_key_id = ASIAUJXFFQ7OTYJMNHWO\naws_secret_access_key = EacVBgDmom1RVwV+v78+ijNjIJAtOoUJeWQ3tVJ0\naws_session_token = FwoGZXIvYXdzEA8aDBN8L9LFhehhIpoaICKoAbwe ...\n```\n\nWith `--format export`, credentials are printed in a format that can be evaluated to set environment variables:\n\n```\n$ kion credentials --account-id 123412341234 --cloud-access-role my-role --format export | source\n$ aws sts get-caller-identity\n\n{\n    \"UserId\": \"ASIAUJXFFQ7OTYJMNHWO:alice\",\n    \"Account\": \"123412341234\",\n    \"Arn\": \"arn:aws:sts::123412341234:assumed-role/my-role/alice\"\n}\n```\n\nThe `credentials` subcommand also supports JSON:\n\n```\n$ kion credentials --account-id 123412341234 --cloud-access-role my-role --format json | jq -r .access_key\n\nASIAUJXFFQ7OTYJMNHWO\n```\n\n## Launching the AWS Console\n\nThe `console` subcommand launches the AWS console as a certain role in a certain account:\n\n```\n### Opens a browser\n$ kion console --account-id 123412341234 --cloud-access-role my-role\n```\n\n## Config and kion.yml\n\nThe Kion tool searches the following locations for arguments, in this order:\n\n1. Command line\n2. `kion.yml` in the working directory\n3. `~/.config/kion/config.yml`\n\nIf a directory is associated with a particular AWS account and role, you can avoid repeatedly supplying arguments on the command line by putting them in `kion.yml`. For example, in `/path/to/workspace`, create the following `kion.yml`:\n\n```yaml\naccount-id: \"123412341234\"\ncloud-access-role: my-role\n```\n\nThen the `credentials` and `console` commands can be reduced to:\n \n```\n$ cd /path/to/workspace\n\n### Fetches credentials for role my-role in account 123412341234\n$ kion credentials\n\n### Opens the AWS console for role my-role in account 123412341234\n$ kion console\n```\n\n## AWS CLI Credential Process\n\nThe AWS CLI can get credentials from another program called  a [credential process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html).\n\nTo use the Kion tool as a credential process, create an AWS profile with the `credential_process` setting, supplying the full path to `kion` and using the `credential-process` subcommand:\n\n```\n[profile my-profile]\ncredential_process = /path/to/kion credential-process --account-id 123412341234 --cloud-access-role my-role\n```\n\nNow specify this profile when you run AWS CLI commands:\n\n```\n$ aws --profile my-profile sts get-caller-identity\n```\n\nIn directories with `kion.yml`, arguments are supplied by the file, so you can use a more general profile:\n\n```\n[profile kion]\ncredential_process = /path/to/kion credential-process\n```\n\nExporting `AWS_PROFILE` allows you to omit `--profile` so that you need no extra arguments:\n\n```\n$ export AWS_PROFILE=kion\n\n### In a directory with kion.yml\n$ aws sts get-caller-identity\n```\n\n## Credential Process Caching\n\nTo avoid repeatedly fetching credentials, `kion credential-process` caches credentials on disk. The creation time of each set of credentials is recorded, and new credentials are fetched when the session duration has elapsed. The session duration is given in the `session-duration` argument. `kion setup` asks for this value and saves it to `~/.config/kion/config.yml`.\n\n## App API Keys\n\nTo reduce the use of highly privileged user credentials, Kion supports authentication with App API Keys. `kion setup` creates an App API Key by default an configures the tool to use it.\n\nYour App API Key has a short lifetime (e.g. a week), so you must rotate it regularly. To do so, use the `key` subcommand:\n\n```\n$ kion key rotate\n```\n\nIf `rotate-app-api-keys` is set to `true` in `~/.config/kion/config.yml`, the Kion tool will automatically rotate your App API Key within three days of expiration when any primary command is run. (`kion setup` enables automatic rotation by default.)\n\nThe `key` subcommand also handles the situation where your key expires — for example, you don't run the Kion tool for a while. The `--force` flag permits the tool to overwrite an existing, possibly expired key:\n\n```\n### May prompt for user credentials\n$ kion key create --force\n```\n\n## User Credentials\n\nIf you choose not to use an App API Key, `kion setup` stores user credentials in the system keyring (Secret Service on Linux, Keychain on macOS, Credential Manager on Windows).\n\nTo update the user credentials in the system keyring (e.g. your password changes), use the interactive `login` subcommand:\n\n```\n$ kion login\n```\n\nTo remove credentials from the system keychain:\n\n```\n$ kion logout\n```\n\n## Printing Access Info\n\nThe `access` subcommand prints the current user's Cloud Access Roles and associated accounts. Each line contains a Cloud Access Role, account ID, and account name:\n\n```\n$ kion access\nrole1\t123412341234\taccount1\nrole1\t234123412341\taccount2\nrole2\t123412341234\taccount1\nrole2\t234123412341\taccount2\n```\n\nThe list can be filtered with the `--cloud-access-role` (`-r`), `--account-id`, and `--account` flags:\n\n```\n$ kion access --cloud-access-role role1\nrole1\t123412341234\taccount1\nrole1\t234123412341\taccount2\n```\n\n## Scenario: Terraform\n\nCombining the features above, you can configure Terraform to fetch credentials from Kion transparently.\n\n### 1. Create kion.yml\n\nIn `/path/to/terraform/workspace/kion.yml`:\n\n```yaml\naccount-id: \"123412341234\"\ncloud-access-role: my-role\n```\n\n### 2. Create AWS profile\n\nIn `~/.aws/config`:\n\n```\n[profile kion]\ncredential_process = /path/to/kion credential-process\n```\n\n### 3. Set profile in Terraform provider block\n\n```hcl\nprovider \"aws\" {\n  profile = \"kion\"\n}\n```\n\n### 4. Run Terraform commands\n\n```\n$ cd /path/to/terraform/workspace\n$ terraform plan\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcorbaltcode%2Fkion","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcorbaltcode%2Fkion","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcorbaltcode%2Fkion/lists"}