{"id":20248022,"url":"https://github.com/eddiecorrigall/awscli-ext","last_synced_at":"2026-05-13T02:10:50.802Z","repository":{"id":83993601,"uuid":"247137048","full_name":"eddiecorrigall/awscli-ext","owner":"eddiecorrigall","description":"Command-line extensions to awscli","archived":false,"fork":false,"pushed_at":"2022-01-14T00:49:59.000Z","size":28,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-14T02:22:36.643Z","etag":null,"topics":["account-management","aws","cli","prompt","sts"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eddiecorrigall.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-03-13T18:26:59.000Z","updated_at":"2023-02-14T02:24:42.000Z","dependencies_parsed_at":null,"dependency_job_id":"1bfa2b1f-cd05-42a5-8e4e-cf112bd102aa","html_url":"https://github.com/eddiecorrigall/awscli-ext","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eddiecorrigall%2Fawscli-ext","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eddiecorrigall%2Fawscli-ext/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eddiecorrigall%2Fawscli-ext/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eddiecorrigall%2Fawscli-ext/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eddiecorrigall","download_url":"https://codeload.github.com/eddiecorrigall/awscli-ext/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241696157,"owners_count":20004741,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["account-management","aws","cli","prompt","sts"],"created_at":"2024-11-14T09:44:44.023Z","updated_at":"2026-05-13T02:10:45.763Z","avatar_url":"https://github.com/eddiecorrigall.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# awscli-ext\nCommand-line extensions to awscli.\n\nThe purpose of these tools is to add functionality and usability where the awscli is lacking. Specifically a command-line user experience which helps the user know the context of the AWS profile. Without easily spotting which AWS profile and account you are using, it is easy to make assumptions and mistakes. Imagine thinking you are working with staging credentials, and accidentally applying changes to production.\n\nAlong with a pretty command-line prompt, these commands allow you to: administrate AWS User Groups with custom access policy.\n\n## Installation\n\nEnsure that the awscli is installed.\n\n```bash\npip3 install --upgrade --user awscli\n```\n\nAdd the following to `~/.bash_profile` if you are using OSX, otherwise add contents to `~/.bashrc`.\n\n```bash\n#!/bin/bash\n\nif [[ -f /path/to/awscli.ext.sh ]]; then\n    source /path/to/awscli.ext.sh\nfi\n```\n\n### Install Prompt\n\nAdd the following command to `~/.bashrc` (or `~/.bash_profile` on OSX).\n\n```bash\nexport PROMPT_COMMAND='echo $(aws_ps1)'\n```\n\nOpen a new terminal window, the prompt should now look something like this,\n\n```\nprofile:default ⬢\nthehostname:~ theuser$\n```\n\nThe red stop-sign (\u003cspan style=\"color:#FF0000\"\u003e⬢\u003c/span\u003e) means that the `AWS_SESSION_TOKEN` is empty, or has expired.\n\nA green up-arrow (\u003cspan style=\"color:#32CD32;\"\u003e▲\u003c/span\u003e) means that the `AWS_SESSION_TOKEN` is set, and it has not expired. The prompt will include the remaining seconds that the token has left.\n\n```bash\nprofile:default ▲ [403s]\nthehost:~ theuser$\n```\n\nAlternatively, if your bash profile already has a `PROMPT_COMMAND` defined, you can incorporate helper commands or environment variables to design your own.\n\n## Bash Functions\n\n### AWS Environment Variable\n- `aws_env_clear` (interactive)\n- `aws_env_export_user_name` (interactive)\n- `aws_env_export_account_alias` (interactive)\n- `aws_env_export` (interactive)\n- `aws_env_print_profile` (stdout text)\n- `aws_env_print_default_region` (stdout text)\n- `aws_env_print_account_alias` (stdout text)\n- `aws_env_print_user_name` (stdout text)\n- `aws_env_print` (stdout text)\n\n### AWS Profile\n- `aws_profile_add` (interactive)\n- `aws_profile_get` (interactive)\n- `aws_profile_set` (interactive)\n- `aws_profile_reset` (interactive)\n- `aws_profile_prompt` (stdout text)\n\n### AWS Simple Token Service (STS)\n- `aws_sts_remaining_seconds` (stdout number)\n- `aws_sts_is_expired` (stdout boolean)\n- `aws_sts_get_session_token` (interactive)\n- `aws_sts_prompt` (stdout text)\n\n### BASH PS1\n- `aws_ps1` (stdout text)\n\n## Environment Variables\n\nOfficial AWS environment variables\n- `AWS_PROFILE`\n- `AWS_ACCESS_KEY_ID`\n- `AWS_SECRET_ACCESS_KEY`\n- `AWS_SESSION_TOKEN`\n\nUnofficial AWS environment variables:\n- `AWS_USER_NAME`\n- `AWS_ACCOUNT_ALIAS`\n- `AWS_STS_EXPIRY_ISO8601`\n- `AWS_STS_EXPIRY_EPOCH`\n\n## Run tests\n\n```bash\n# https://github.com/bats-core/bats-core\nbats awscli.ext.bats\n```\n\n## Use Case\n\n### User Group Policy with Multi-factor Condition\n\nEasily get STS tokens and setup the local environment variables to meet a MFA condition set in a policy and gain temporary credentials for write access to an AWS account.\n\nRead more about conditional access policies [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html).\n\n### Instructions\n\n1. Use the AWS CloudFormation [employee access stack](cloudformation/employee-access-stack.yaml) to create user groups: billing, engineering, and readonly.\n2. Navigate to the AWS IAM dashboard, and move users into the appropriate groups.\n3. Have users [enabled MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html) so they can perform self service.\n\n#### Group: Billing\n\nUsers in this group can view billing portal.\n\n#### Group: ReadOnly\n\nUsers in this group use the AWS Managaged Policy: IAMReadOnlyAccess.\n\n#### Group: Engineering\n\nUsers in this group have IAMReadOnlyAccess, until MFA code is completed with AWS STS.\n\nFor example, when the user logs into the AWS Console and completes the MFA process, they will assume a custom policy: `AllowEngineeringAccess`. It is up to the user of this configuration to choose what this policy does. The example allows all AWS actions on all AWS resources.\n\nFor example, when the user requests an STS token and completes the process with an MFA code, they will assume the custom policy `AllowEngineeringAccess` as well.\n\nBy default a user in the Engineering Group that has generated an AWS Profile for CLI programmatic use, the AWS Profile assumes `IAMReadOnlyAccess`. The condition to use `AllowEngineeringAccess` is based on whether the user completes an STS token request with a valid MFA code for temporary access credentials.\n\n### Demo\n\nThis example demonstrates that the holder of the AWS Secret Access Key must provide an MFA Code to gain write access to an AWS account. Otherwise the credentials will have read only access only.\n\n1. Create a programmatic user called `developer` with the AWS IAM console,\n1. Keep a copy of the AWS Access Key ID and AWS Secret Access Key for later steps.\n1. Assign a MFA device. MFA Code is required for demo.\n1. Add the new `developer` user into the `DeveloperAccess` IAM group.\n1. Then open a terminal and enter the following commands.\n\n```bash\naws_profile_add developer\n# Prompted for:\n#  AWS Access Key ID (secret)\n#  AWS Secret Access Key (secret)\n#  Default region name (eg. ca-central-1)\n#  Default output format (eg. json)\n\n# Set the AWS profile to developer\naws_profile_set developer\n\n# List all s3 buckets visible to the user\naws s3 ls\n\n# Attempt to create a bucket (should fail with AccessDenied)\naws s3 mb s3://some-unique-bucket-name\n\naws_sts_get_session_token\n# Prompted for: One-time Password (MFA Code)\n\n# Attempt to create a bucket again (should succeed)\naws s3 mb s3://some-unique-bucket-name\n\n# Cleanup: remove bucket\naws s3 rb s3://some-unique-bucket-name\n\n# Restore original profile, including the temporary access token\naws_profile_reset\n\n# Attempt to create a bucket again (should fail with AccessDenied)\naws s3 mb s3://some-unique-bucket-name\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feddiecorrigall%2Fawscli-ext","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feddiecorrigall%2Fawscli-ext","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feddiecorrigall%2Fawscli-ext/lists"}