{"id":43350770,"url":"https://github.com/threadwaste/finto","last_synced_at":"2026-02-02T02:22:28.136Z","repository":{"id":57569028,"uuid":"42317941","full_name":"threadwaste/finto","owner":"threadwaste","description":"An experiment to ease the burden of AWS STS's assume role on a workstation. ","archived":false,"fork":false,"pushed_at":"2017-02-09T21:38:05.000Z","size":2338,"stargazers_count":17,"open_issues_count":1,"forks_count":3,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-06-20T11:11:08.300Z","etag":null,"topics":["arn","assume-role","aws","aws-sts","workstations"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/threadwaste.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-09-11T15:55:21.000Z","updated_at":"2024-04-10T19:29:27.000Z","dependencies_parsed_at":"2022-08-30T04:25:24.352Z","dependency_job_id":null,"html_url":"https://github.com/threadwaste/finto","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/threadwaste/finto","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threadwaste%2Ffinto","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threadwaste%2Ffinto/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threadwaste%2Ffinto/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threadwaste%2Ffinto/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/threadwaste","download_url":"https://codeload.github.com/threadwaste/finto/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threadwaste%2Ffinto/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29001653,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-02T01:32:03.847Z","status":"online","status_checked_at":"2026-02-02T02:00:07.448Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arn","assume-role","aws","aws-sts","workstations"],"created_at":"2026-02-02T02:22:27.562Z","updated_at":"2026-02-02T02:22:28.130Z","avatar_url":"https://github.com/threadwaste.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# finto\n\n[![Build Status](https://travis-ci.org/threadwaste/finto.svg?branch=master)](https://travis-ci.org/threadwaste/finto)\n\n**finto (-a)** /'finto (-a)/ *agg* **1** posticcio; artificiàle\n\n## Overview\n\nfinto is a web server that emulates EC2 instance profile roles on a workstation\nthrough STS's assume role function. It was born as an experiment to ease local\ninteraction with AWS services in a deeply-federated, role-based environment.\nfinto ships with a basic API for moving between roles, and handles credentials\ncaching and expiration.\n\n## Installation\n\nAt its simplest:\n\n    go get github.com/threadwaste/finto/cmd/finto\n\n## Usage\n\n    Usage of finto:\n      -addr=\"169.254.169.254\": bind to addr\n      -config=\"/home/demo/.fintorc\": location of config file\n      -log=\"\": log http to file\n      -port=16925: listen on port\n\nWhile running, finto provides credentials to EC2 instance profile providers.\nThis provider is last in the default provider chain of each SDK. For more\ninformation, refer to the official documentation on [EC2 instance profile\nroles](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) and the [standardized credentials interface](https://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and-Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs).\n\nBelow is sample output of finto serving credentials to the AWS CLI:\n\n    $ aws s3 ls --debug\n    \u003ctruncated\u003e\n    2016-01-03 11:52:01,895 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env\n    2016-01-03 11:52:01,895 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role\n    2016-01-03 11:52:01,895 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file\n    2016-01-03 11:52:01,896 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: config-file\n    2016-01-03 11:52:01,896 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: ec2-credentials-file\n    2016-01-03 11:52:01,896 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: boto-config\n    2016-01-03 11:52:01,897 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: iam-role\n    2016-01-03 11:52:01,902 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - INFO - Starting new HTTP connection (1): 169.254.169.254\n    2016-01-03 11:52:01,904 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - DEBUG - \"GET /latest/meta-data/iam/security-credentials/ HTTP/1.1\" 200 5\n    2016-01-03 11:52:02,259 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - DEBUG - \"GET /latest/meta-data/iam/security-credentials/example HTTP/1.1\" 200 635\n    2016-01-03 11:52:02,261 - MainThread - botocore.credentials - INFO - Found credentials from IAM Role: example\n    \u003ctruncated\u003e\n    2016-01-03 11:52:03,282 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.ListBuckets: calling handler \u003cawscli.errorhandler.ErrorHandler object at 0x10483fc90\u003e\n    2016-01-03 11:52:03,282 - MainThread - awscli.errorhandler - DEBUG - HTTP Response Code: 200\n\nfinto also includes an API for bouncing between available roles. Helper\nfunctions for bash and fish shells are available.\n\n    $ curl 169.254.169.254/roles\n    {\"roles\":[\"example\",\"example2\"]}\n    $ curl 169.254.169.254/roles/example\n    {\"arn\":\"arn:aws:iam::123456789012:role/example\",\"session_name\":\"finto-example\"}\n    $ curl 169.254.169.254/roles/example/credentials\n    {\n      \"AccessKeyId\": \"\u003credacted\u003e\",\n      \"Code\": \"Success\",\n      \"Expiration\": \"2016-01-03T19:40:30Z\",\n      \"LastUpdated\": \"2015-07-07T23:06:33Z\",\n      \"SecretAccessKey\": \"\u003credacted\u003e\",\n      \"Token\": \"\u003credacted\u003e\",\n      \"Type\": \"AWS-HMAC\"\n    }\n    $ curl 169.254.169.254/latest/meta-data/iam/security-credentials/\n    example\n    $ curl -XPUT -d'{\"alias\":\"example2\"}' 169.254.169.254/roles\n    {\"active_role\":\"example2\"}\n    $ curl 169.254.169.254/latest/meta-data/iam/security-credentials/\n    example2\n\n## Configuration\n\nfinto uses a JSON configuration file to setup its credentials and the roles it\nwill serve. It currently uses a shared credentials provider only. Exluding the\ncredentials file or profile will use the defaults \"~/.aws/credentials\" and\n\"default,\" respectively.\n\n    {\n      \"credentials\": {\n        \"file\": \"/home/demo/.finto/credentials\",\n        \"profile\": \"identity\"\n      },\n      \"roles\": {\n        \"example\": \"arn:aws:iam::123456789012:role/example\",\n        \"example2\": \"arn:aws:iam::123456789012:role/example2\"\n      }\n      \"default_role\": \"example\",\n    }\n\n## Running\n\nThere are essentially two basic requirements for running finto:\n\n  1. Routing the EC2 meta-data endpoint\n  2. Using (or chaining to) the EC2 instance profile provider\n\nThe first can be achieved in several ways: interface aliasing, network\nredirection, virtual machines, and so on. The wiki contains a couple of basic\nexamples.\n\nThe second is client-dependent. In the case of clients like the AWS CLI, the\nuser must clear a path to the EC2 instance profile provider. Multiple shared\ncredentials profiles can still be configured, and accessed with e.g. the\n--profile option or AWS_DEFAULT_PROFILE environment variable.\n\n## Development\n\nAfter cloning the repository, running `make` will fetch and build\ndependencies; run tests; and install the binary. During development, `make\ntestall` requires the following environment variables for its integration tests:\n\n+ AWS_ACCESS_KEY_ID\n+ AWS_SECRET_ACCESS_KEY\n+ FINTO_VALID_ARN - an IAM role ARN that can be assumed\n+ FINTO_INVALID_ARN - a false IAM role ARN that will fail\n\nThe target `test` can be used to skip the integration tests, and avoid this\nsetup.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthreadwaste%2Ffinto","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthreadwaste%2Ffinto","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthreadwaste%2Ffinto/lists"}