{"id":15404524,"url":"https://github.com/k1low/awsdo","last_synced_at":"2025-04-15T06:12:44.759Z","repository":{"id":42018535,"uuid":"306234604","full_name":"k1LoW/awsdo","owner":"k1LoW","description":"awsdo is a tool to do anything using AWS temporary credentials.","archived":false,"fork":false,"pushed_at":"2025-04-13T23:27:09.000Z","size":201,"stargazers_count":26,"open_issues_count":1,"forks_count":4,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-15T06:12:37.305Z","etag":null,"topics":["assume-role","aws","aws-identity-center","get-session-token","mfa","sso-login"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/k1LoW.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"k1LoW","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":null}},"created_at":"2020-10-22T05:43:14.000Z","updated_at":"2025-04-09T03:52:18.000Z","dependencies_parsed_at":"2024-05-07T14:31:02.465Z","dependency_job_id":"c1b880ec-bb90-4acf-84ef-c573e4bf3b9b","html_url":"https://github.com/k1LoW/awsdo","commit_stats":{"total_commits":110,"total_committers":5,"mean_commits":22.0,"dds":"0.18181818181818177","last_synced_commit":"ad8ceea8953092da3ea825b79f5238be47e56fec"},"previous_names":[],"tags_count":27,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k1LoW%2Fawsdo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k1LoW%2Fawsdo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k1LoW%2Fawsdo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k1LoW%2Fawsdo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/k1LoW","download_url":"https://codeload.github.com/k1LoW/awsdo/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249016638,"owners_count":21198833,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["assume-role","aws","aws-identity-center","get-session-token","mfa","sso-login"],"created_at":"2024-10-01T16:13:31.167Z","updated_at":"2025-04-15T06:12:44.736Z","avatar_url":"https://github.com/k1LoW.png","language":"Go","funding_links":["https://github.com/sponsors/k1LoW"],"categories":[],"sub_categories":[],"readme":"# awsdo\n\n`awsdo` is a tool to do anything using AWS temporary credentials.\n\n## Usage\n\n`awsdo` does anything with temporary credentials generated using the same functions as `aws sts get-session-token`, `aws sts assume-role` and `aws sso login`.\n\n### As command wrapper\n\n``` console\n$ AWS_PROFILE=myaws awsdo -- terraform apply\nEnter MFA code for arn:aws:iam::111111111111:mfa/k1low: 123456\n[...]\n```\n\n### As env exporter\n\nWhen `awsdo` is executed with no arguments, `awsdo` outputs shell script to export AWS credentials environment variables like [`aswrap`](https://github.com/fujiwara/aswrap).\n\n``` console\n$ AWS_PROFILE=myaws awsdo\nEnter MFA code for arn:aws:iam::111111111111:mfa/k1low: 123456\nexport AWS_REGION=ap-northeast-1\nexport AWS_ACCESS_KEY_ID=XXXXXXXXXXXXXXXX\nexport AWS_SECRET_ACCESS_KEY=vl/Zv5hGxdy1DPh7IfpYwP/YKU8J6645...\nexport AWS_SESSION_TOKEN=FwoGZXIYXdGUaFij9VStcW9fcbuKCKGAWjLxF/3hXgGSoemniFV...\n```\n\nIf you want to set credentials in a current shell by `eval`, you can use `--token-code` to set the MFA token code.\n\n``` console\n$ eval \"$(awsdo --profile myaws --token-code 123456)\"\n```\n\n### As AWS management console login supporter\n\nLogin to the AWS management console from a terminal using generaged login link by `awsdo`.\n\n``` console\n$ AWS_PROFILE=myaws awsdo --login\n```\n\n## Required IAM permissions\n\n- `iam:ListMFADevices`\n- `sts:AssumeRole`\n- `sts:GetSessionToken`\n\n## How `awsdo` works\n\n- Load `~/.aws/credentials` and `~/.aws/config`.\n- Get temporary credentials.\n    1. If the section has `aws_session_token`, `awsdo` use that.\n        - Find profile ( section of `AWS_PROFILE` or `--profile` ).\n        - **Get temporary credentials :key:**.\n    2. If `--role-arn` is set, `awsdo` tries to assume role ( `sts:AssumeRole` ).\n        - Find profile ( section of `AWS_PROFILE` or `--profile` ).\n        - `awsdo` tries to get the MFA device serial number ( `iam:ListMFADevices` ).\n        - If `awsdo` get MFA device serial number, it uses multi-factor authentication.\n        - **Get temporary credentials :key:**.\n    3. If the section has `role_arn`, `awsdo` tries to assume role ( `sts:AssumeRole` ).\n        - Find profile ( section of `AWS_PROFILE` or `--profile` ).\n        - If the section does not have `mfa_serial`, `awsdo` tries to get the MFA device serial number ( `iam:ListMFADevices` ).\n        - If `awsdo` get MFA device serial number, it uses multi-factor authentication.\n        - **Get temporary credentials :key:**.\n    4. If the section has `sso_session`, `awsdo` tries to SSO login.\n        - Find profile ( section of `AWS_PROFILE` or `--profile` ).\n        - `awsdo` tries to SSO login like `aws sso login`.\n        - **Get temporary credentials :key:**.\n    5. Else, `awsdo` try to get session token ( `sts:getSessionToken` ).\n        - Find profile ( section of `AWS_PROFILE` or `--profile` ).\n        - If the section does not have `mfa_serial`, `awsdo` tries to get the MFA device serial number ( `iam:ListMFADevices` ).\n        - If `awsdo` get MFA device serial number, it uses multi-factor authentication.\n        - **Get temporary credentials :key:**.\n- Set the temporary credentials to environment variables and execute command or export environment variables.\n    - `AWS_ACCESS_KEY_ID`\n    - `AWS_SECRET_ACCESS_KEY`\n    - `AWS_SESSION_TOKEN`\n    - `AWS_REGION`\n\n## Example\n\n### Assume Role on CI\n\n``` yaml\nname: AWS example workflow\non:\n  push\npermissions:\n  id-token: write\n  contents: read\njobs:\n  assumeRole:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v2\n      - uses: aws-actions/configure-aws-credentials@v1\n        with:\n          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT }}:role/example-role\n          aws-region: ${{ secrets.AWS_REGION }}\n      - name: Run as ${{ secrets.AWS_ACCOUNT }}\n        run: |\n          aws sts get-caller-identity\n      - name: Setup awsdo\n        run: |\n          export AWSDO_VERSION=X.X.X\n          curl -L https://git.io/dpkg-i-from-url | bash -s -- https://github.com/k1LoW/awsdo/releases/download/v$AWSDO_VERSION/awsdo_$AWSDO_VERSION-1_amd64.deb\n      - name: Run as ${{ secrets.AWS_ANOTHER_ACCOUNT }} using awsdo\n        run: |\n          awsdo --role-arn=arn:aws:iam::${{ secrets.AWS_ANOTHER_ACCOUNT }}:role/another-example-role -- aws sts get-caller-identity\n```\n\n## Install\n\n**deb:**\n\n``` console\n$ export AWSDO_VERSION=X.X.X\n$ curl -o awsdo.deb -L https://github.com/k1LoW/awsdo/releases/download/v$AWSDO_VERSION/awsdo_$AWSDO_VERSION-1_amd64.deb\n$ dpkg -i awsdo.deb\n```\n\n**RPM:**\n\n``` console\n$ export AWSDO_VERSION=X.X.X\n$ yum install https://github.com/k1LoW/awsdo/releases/download/v$AWSDO_VERSION/awsdo_$AWSDO_VERSION-1_amd64.rpm\n```\n\n**homebrew tap:**\n\n```console\n$ brew install k1LoW/tap/awsdo\n```\n\n**[aqua](https://aquaproj.github.io/):**\n\n```console\n$ aqua g -i k1LoW/awsdo\n```\n\n**manually:**\n\nDownload binary from [releases page](https://github.com/k1LoW/awsdo/releases)\n\n**go install:**\n\n```console\n$ go install github.com/k1LoW/awsdo@latest\n```\n\n## References\n\n- [aswrap](https://github.com/fujiwara/aswrap) - AWS assume role credential wrapper.\n- [aws-vault](https://github.com/99designs/aws-vault) - A vault for securely storing and accessing AWS credentials in development environments.\n- [aws-sso-go](https://github.com/mrtc0/aws-sso-go) - A utility tool that allows credentials to be saved in 1Password even in an AWS SSO environment.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fk1low%2Fawsdo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fk1low%2Fawsdo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fk1low%2Fawsdo/lists"}