Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/taimos/aws-authenticate
AWS Auth CLI
https://github.com/taimos/aws-authenticate
Last synced: 8 days ago
JSON representation
AWS Auth CLI
- Host: GitHub
- URL: https://github.com/taimos/aws-authenticate
- Owner: taimos
- License: mit
- Created: 2019-04-12T17:47:16.000Z (over 5 years ago)
- Default Branch: main
- Last Pushed: 2023-10-16T17:33:24.000Z (about 1 year ago)
- Last Synced: 2024-04-14T05:52:52.956Z (7 months ago)
- Language: JavaScript
- Size: 1.09 MB
- Stars: 5
- Watchers: 3
- Forks: 2
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Codeowners: CODEOWNERS
Awesome Lists containing this project
README
# AWS Authenticate
This CLI tool helps you to configure your AWS access in CI/CD environments. You can set the region, the IAM profile to use or assume IAM roles with one CLI call.
The tool prints environment variables to the console to use in subsequent calls. By using `eval` you can set the environment in one call.
## How to install
To install this tool you need NodeJS and NPM installed on your machine.
You can then execute `npm install -g aws-authenticate` to install the `aws-authenticate` executable.
## Examples
### One-liners
To use a profile configured in your `~/.aws/config` file, issue the following command:
`eval "$(aws-authenticate auth --profile myprofile)"`
To assume a role using your default config you call it like:
`eval "$(aws-authenticate auth --role MyRole)"`
To assume a role in another account, use:
`eval "$(aws-authenticate auth --role MyRole --roleAccount 123456789012)"`
To assume a role in another account using a different policy, call:
`eval "$(aws-authenticate auth --role MyRole --roleAccount 123456789012 --roleSessionPolicy 'arn:aws:iam::aws:policy/AdministratorAccess')"`
To clear all AWS related environment variable and use the defaults, call:
`eval "$(aws-authenticate clear)"`
### Example using sub-shell
If you do not want to pollute your environment with settings, you can use a sub-shell to only configure AWS for several calls:
```bash
#!/bin/bash -e
...
(
eval "$(aws-authenticate auth --profile myprofile)"
aws s3 ls
)
...
```
### Looping through all accounts
If you want to do something for a accounts in an organization, use the following code:
```bash
#!/bin/bash -e
export accounts=$(aws-authenticate accounts)
echo "${accounts}" | while read account; do
(
id=$(echo "${account}" | cut -d ',' -f 1)
safeName=$(echo "${account}" | cut -d ',' -f 4)
echo "Doing stuff for account ${id} with safe name ${safeName}"
eval "$(aws-authenticate auth --roleAccount ${id} --role master --region eu-central-1)"
aws-authenticate set-alias --name "${safeName}"
)
done
```
If you have a tag called `Alias` on your accounts, you can set the account alias with the following script:
```bash
#!/bin/bash -e
export accounts=$(aws-authenticate accounts --tags Alias)
echo "${accounts}" | while read account; do
(
id=$(echo "${account}" | cut -d ',' -f 1)
alias=$(echo "${account}" | cut -d ',' -f 6)
eval "$(aws-authenticate auth --roleAccount ${id} --role master --region eu-central-1)"
aws-authenticate set-alias --name "${alias}"
)
done
```
## Documentation
`aws-authenticate [options]`
### auth
The `auth` command is used to configure credentials or assume roles.
Valid options are:
* `--role ` - The IAM role to assume
* `--roleAccount ` - The AWS account owning the role to assume. If not specified, your current account is used.
* `--region ` - The region to configure for subsequent calls
* `--profile ` - The profile configured in `~/.aws/config` to use
* `--targetProfile ` - The profile in `~/.aws/config` to write the new credentials to
* `--externalId ` - The external ID to use when assuming roles
* `--duration ` - The number of seconds the temporary credentials should be valid. Default is 3600.
* `--roleSessionName ` - The name of the session of the assumed role. Defaults to `AWS-Auth-` with `xyz` being the current milliseconds since epoch.
* `--roleSessionPolicy ` - The ARN or filename of the policy to use for the assumed session
* `--id` - Print the final user information to the console for debugging purpose
### id
With the `id` command, the tool prints the currently configured IAM principal to the console
```bash
$ aws-authenticate id
# Account: 123456789012 - User: arn:aws:iam::123456789012:user/johndoe
```
### clear
The `clear` command creates a bash snippet to clear all AWS related environment vafriables.
### accounts
The `accounts` command lists AWS accounts withing the currect organization.
Accounts are printed one account per line with the following fields in a CSV format.
```
,,,,
```
The safe name is the name with only alphanumeric characters and the rest being replaced with dashes.
```
123456789012,[email protected],My Example Account,my-example-account,ACTIVE
210987654321,[email protected],My Sub Account,my-sub-account,ACTIVE
```
Valid options are:
* `--parent ` - Limit the account list to the given orga parent (OU)
* `--tags key1,key2` - Show account tags as additional columns
### update-idp
The `update-idp` command is used to create or update the given SAML identity provider
Valid options are:
* `--name ` - Name of the IdP to configure. Defaults to `SAML`
* `--metadata ` - The file to use as SAML metadata
### set-alias
The `set-alias` command enables you to configure an AWS account alias.
Valid options are:
* `--name ` - Name of the alias to configure
# Changelog
## NEWER
See Github releases
## 1.5.0
* update deps
* add support to write auth to new profile
## 1.4.0
* update deps
## 1.3.1
* fix `--roleAccount` when account id has leading zeros
## 1.3.0
* add `--roleSessionPolicy` to provide IAM policies when assuming roles
* add `--tags` to account list
## 1.2.0
* remove `--script` option as it is completely broken. Use sub-shells instead. **BREAKING CHANGE**
## 1.1.0
* add `--script` option to run bash scripts directly
* add `accounts` command to list AWS accounts
* add `update-idp` command to manage SAML IdP
* add `set-alias` command to manage SAML IdP
* fix `clear` command
## 1.0.1
* add README and `help` command
## 1.0.0
* Initial project implementation
# Contribute
## Did you find a bug?
* **Ensure the bug was not already reported** by searching on GitHub under [Issues](https://github.com/taimos/aws-authenticate/issues).
* If you're unable to find an open issue addressing the problem, [open a new one](https://github.com/taimos/aws-authenticate/issues/new). Be sure to include a **title and clear description**, as much relevant information as possible, and a **code sample** demonstrating the expected behavior that is not occurring.
## Did you write a patch that fixes a bug?
* Open a new GitHub pull request with the patch.
* Ensure the PR description clearly describes the problem and solution. Include the relevant issue number if applicable.
## Did you fix whitespace, format code, or make a purely cosmetic patch?
Changes that are cosmetic in nature and do not add anything substantial to the stability, functionality, or testability will normally not be accepted.
## Do you intend to add a new feature or change an existing one?
* Suggest your change under [Issues](https://github.com/taimos/aws-authenticate/issues).
* Do not open a pull request on GitHub until you have collected positive feedback about the change.
## Do you want to contribute to the aws-authenticate documentation?
* Just file a PR with your recommended changes