https://github.com/k1low/awsdo

awsdo is a tool to do anything using AWS temporary credentials.
https://github.com/k1low/awsdo

assume-role aws get-session-token mfa

Last synced: 14 days ago
JSON representation

awsdo is a tool to do anything using AWS temporary credentials.

• Host: GitHub
• URL: https://github.com/k1low/awsdo
• Owner: k1LoW
• License: mit
• Created: 2020-10-22T05:43:14.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2024-09-29T06:50:38.000Z (about 2 months ago)
• Last Synced: 2024-10-19T13:25:16.333Z (26 days ago)
• Topics: assume-role, aws, get-session-token, mfa
• Language: Go
• Homepage:
• Size: 139 KB
• Stars: 25
• Watchers: 2
• Forks: 4
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# awsdo

`awsdo` is a tool to do anything using AWS temporary credentials.

## Usage

`awsdo` does anything with temporary credentials generated using `aws sts get-session-token` and `aws sts assume-role`.

### As command wrapper

``` console

$ AWS_PROFILE=myaws awsdo -- terraform apply

Enter MFA code for arn:aws:iam::111111111111:mfa/k1low: 123456

[...]

```

### As env exporter

When `awsdo` is executed with no arguments, `awsdo` outputs shell script to export AWS credentials environment variables like [`aswrap`](https://github.com/fujiwara/aswrap).

``` console

$ AWS_PROFILE=myaws awsdo

Enter MFA code for arn:aws:iam::111111111111:mfa/k1low: 123456

export AWS_REGION=ap-northeast-1

export AWS_ACCESS_KEY_ID=XXXXXXXXXXXXXXXX

export AWS_SECRET_ACCESS_KEY=vl/Zv5hGxdy1DPh7IfpYwP/YKU8J6645...

export AWS_SESSION_TOKEN=FwoGZXIYXdGUaFij9VStcW9fcbuKCKGAWjLxF/3hXgGSoemniFV...

```

If you want to set credentials in a current shell by `eval`, you can use `--token-code` to set the MFA token code.

``` console

$ eval "$(awsdo --profile myaws --token-code 123456)"

```

### As AWS management console login supporter

Login to the AWS management console from a terminal using generaged login link by `awsdo`.

``` console

$ AWS_PROFILE=myaws awsdo --login

```

## Required IAM permissions

- `iam:ListMFADevices`

- `sts:AssumeRole`

- `sts:GetSessionToken`

## How `awsdo` works

- Load `~/.aws/credentials` and `~/.aws/config`.

- Get temporary credentials.

    1. If `--role-arn` is set, `awsdo` tries to assume role ( `sts:AssumeRole` ).

        - `awsdo` tries to get the MFA device serial number ( `iam:ListMFADevices` ).

        - If `awsdo` get MFA device serial number, it uses multi-factor authentication.

        - Get temporary credentials.

    2. If the section has `role_arn`, `awsdo` tries to assume role ( `sts:AssumeRole` ).

        - Find profile ( section of `AWS_PROFILE` or `--profile` ).

        - If the section does not have `mfa_serial`, `awsdo` tries to get the MFA device serial number ( `iam:ListMFADevices` ).

        - If `awsdo` get MFA device serial number, it uses multi-factor authentication.

        - Get temporary credentials.

    3. Else, `awsdo` try to get session token ( `sts:getSessionToken` ).

        - Find profile ( section of `AWS_PROFILE` or `--profile` ).

        - If the section does not have `mfa_serial`, `awsdo` tries to get the MFA device serial number ( `iam:ListMFADevices` ).

        - If `awsdo` get MFA device serial number, it uses multi-factor authentication.

        - Get temporary credentials.

- Set the temporary credentials to environment variables and execute command or export environment variables.

    - `AWS_ACCESS_KEY_ID`

    - `AWS_SECRET_ACCESS_KEY`

    - `AWS_SESSION_TOKEN`

    - `AWS_REGION`

## Example

### Assume Role on CI

``` yaml

name: AWS example workflow

on:

  push

permissions:

  id-token: write

  contents: read

jobs:

  assumeRole:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v2

      - uses: aws-actions/configure-aws-credentials@v1

        with:

          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT }}:role/example-role

          aws-region: ${{ secrets.AWS_REGION }}

      - name: Run as ${{ secrets.AWS_ACCOUNT }}

        run: |

          aws sts get-caller-identity

      - name: Setup awsdo

        run: |

          export AWSDO_VERSION=X.X.X

          curl -L https://git.io/dpkg-i-from-url | bash -s -- https://github.com/k1LoW/awsdo/releases/download/v$AWSDO_VERSION/awsdo_$AWSDO_VERSION-1_amd64.deb

      - name: Run as ${{ secrets.AWS_ANOTHER_ACCOUNT }} using awsdo

        run: |

          awsdo --role-arn=arn:aws:iam::${{ secrets.AWS_ANOTHER_ACCOUNT }}:role/another-example-role -- aws sts get-caller-identity

```

## Install

**deb:**

``` console

$ export AWSDO_VERSION=X.X.X

$ curl -o awsdo.deb -L https://github.com/k1LoW/awsdo/releases/download/v$AWSDO_VERSION/awsdo_$AWSDO_VERSION-1_amd64.deb

$ dpkg -i awsdo.deb

```

**RPM:**

``` console

$ export AWSDO_VERSION=X.X.X

$ yum install https://github.com/k1LoW/awsdo/releases/download/v$AWSDO_VERSION/awsdo_$AWSDO_VERSION-1_amd64.rpm

```

**homebrew tap:**

```console

$ brew install k1LoW/tap/awsdo

```

**[aqua](https://aquaproj.github.io/):**

```console

$ aqua g -i k1LoW/awsdo

```

**manually:**

Download binary from [releases page](https://github.com/k1LoW/awsdo/releases)

**go install:**

```console

$ go install github.com/k1LoW/awsdo@latest

```

## Reference

- [aswrap](https://github.com/fujiwara/aswrap) - AWS assume role credential wrapper.

- [aws-vault](https://github.com/99designs/aws-vault) - A vault for securely storing and accessing AWS credentials in development environments.