remind101/assume-role remind101/assume-role

  • Stars
    star
    566
  • Rank 78,442 (Top 2 %)
  • Language
    Go
  • License
    BSD 2-Clause "Sim...
  • Created over 8 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
remind101/assume-role
github

remind101

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Easily assume AWS roles in your terminal.

This tool will request and set temporary credentials in your shell environment variables for a given role.

Installation

On OS X, the best way to get it is to use homebrew:

brew install remind101/formulae/assume-role

If you have a working Go 1.6/1.7 environment:

$ go get -u github.com/remind101/assume-role

On Windows with PowerShell, you can use scoop.sh

$ scoop bucket add extras
$ scoop install assume-role

Configuration

Setup a profile for each role you would like to assume in ~/.aws/config.

For example:

~/.aws/config:

[profile usermgt]
region = us-east-1

[profile stage]
# Stage AWS Account.
region = us-east-1
role_arn = arn:aws:iam::1234:role/SuperUser
source_profile = usermgt

[profile prod]
# Production AWS Account.
region = us-east-1
role_arn = arn:aws:iam::9012:role/SuperUser
mfa_serial = arn:aws:iam::5678:mfa/eric-holmes
source_profile = usermgt

~/.aws/credentials:

[usermgt]
aws_access_key_id = AKIMYFAKEEXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/MYxFAKEYEXAMPLEKEY

Reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html

In this example, we have three AWS Account profiles:

  • usermgt
  • stage
  • prod

Each member of the org has their own IAM user and access/secret key for the usermgt AWS Account. The keys are stored in the ~/.aws/credentials file.

The stage and prod AWS Accounts have an IAM role named SuperUser. The assume-role tool helps a user authenticate (using their keys) and then assume the privilege of the SuperUser role, even across AWS accounts!

Usage

Perform an action as the given IAM role:

$ assume-role stage aws iam get-user

The assume-role tool sets AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN environment variables and then executes the command provided.

If the role requires MFA, you will be asked for the token first:

$ assume-role prod aws iam get-user
MFA code: 123456

If no command is provided, assume-role will output the temporary security credentials:

$ assume-role prod
export AWS_ACCESS_KEY_ID="ASIAI....UOCA"
export AWS_SECRET_ACCESS_KEY="DuH...G1d"
export AWS_SESSION_TOKEN="AQ...1BQ=="
export AWS_SECURITY_TOKEN="AQ...1BQ=="
export ASSUMED_ROLE="prod"
# Run this to configure your shell:
# eval $(assume-role prod)

Or windows PowerShell:

$env:AWS_ACCESS_KEY_ID="ASIAI....UOCA"
$env:AWS_SECRET_ACCESS_KEY="DuH...G1d"
$env:AWS_SESSION_TOKEN="AQ...1BQ=="
$env:AWS_SECURITY_TOKEN="AQ...1BQ=="
$env:ASSUMED_ROLE="prod"
# Run this to configure your shell:
# assume-role.exe prod | Invoke-Expression

If you use eval $(assume-role) frequently, you may want to create a alias for it:

  • zsh
alias assume-role='function(){eval $(command assume-role $@);}'
  • bash
function assume-role { eval $( $(which assume-role) $@); }

TODO

  • Cache credentials.

More Repositories

1

empire

A PaaS built on top of Amazon EC2 Container Service (ECS)
Go
2,688
star
2

android-arch-sample

Sample app for MVP Architecture on Android
Java
348
star
3

ssm-env

Expand env variables from AWS Parameter Store
Go
251
star
4

tugboat

Rest API and AngularJS client for deploying github repos.
Go
235
star
5

conveyor

A fast build system for Docker images.
Go
221
star
6

slashdeploy

GitHub Deployments for Slack
JavaScript
153
star
7

deploy

CLI for GitHub Deployments
Go
134
star
8

jest-transform-graphql

Make .graphql file importing work in Jest
JavaScript
121
star
9

AutoGraph

A GraphQL Client in Swift
Swift
120
star
10

rest-graphql

Middleware for Express to adapt REST requests to GraphQL queries
JavaScript
55
star
11

angular-tooltip

Simple and extensible tooltips for angularjs
JavaScript
41
star
12

migrate

Simple migrations for database/sql
Go
40
star
13

stacker_blueprints

DEPRECATED - moved to:
Python
39
star
14

emp

[DEPRECATED] Command line interface for Empire
Go
37
star
15

mq-go

SQS Consumer Server for Go
Go
28
star
16

dbsnap

Tool to copy and verify AWS RDS snapshots.
Python
24
star
17

pkg

A layer of convenience over the Go stdlib
Go
22
star
18

newrelic

DEPRECATED: Use the official lib here https://github.com/newrelic/go-agent
Go
19
star
19

logspout-kinesis

A Logspout adapter for writing logs to Amazon Kinesis
Go
16
star
20

request_id

Middleware for logging heroku request id's
Ruby
16
star
21

exceptions

A Ruby gem for tracking exceptions.
Ruby
15
star
22

grape-pagination

Pagination helpers for Grape.
Ruby
14
star
23

dockerstats

Easy scraping for the Docker stats api.
Go
14
star
24

auto-value-realm

An extension for Google's AutoValue that allows using Realm's datastore
Java
13
star
25

ecsdog

[DEPRECATED] ECS events are now automatically pulled in with the AWS integration
Go
10
star
26

kinesumer

Kinesis consumer library in Go
Go
10
star
27

turbolinks-redirect

Simple redirect_to support for turbolinks and jquery-rails.
Ruby
9
star
28

docker-build

A small script for building, tagging and pushing Docker images
Shell
9
star
29

dnsdog

DNS metrics in DataDog
Go
9
star
30

empire_ami

Home of the AMI building tools for the Official Empire AMI
Shell
9
star
31

policies

Remind Privacy Policy & Terms of Service from www.remind.com
7
star
32

collective

[DEPRECATED use https://github.com/remind101/r101-datadog instead] It collects metrics and puts it on STDOUT.
Ruby
6
star
33

hubot-deploy

Hubot script for GitHub Deployments.
CoffeeScript
6
star
34

reInvent-2015

Slides and Demo resources for Docker & ECS in Production talk.
Go
4
star
35

ruby-cloud-profiler

Ruby
3
star
36

capybara-mocktime

Ruby gem for synchronizing time between tests and the browser using Timecop and Sinon.
Ruby
3
star
37

activerecord-poro

Associations for plain old ruby objects
Ruby
3
star
38

AutoGraphParser

Swift GQL Parser
Swift
3
star
39

homebrew-formulae

Homebrew tap for Remind tools and utilities.
Ruby
3
star
40

formatted-metrics

Easily produce metrics for consumption by l2met.
Ruby
3
star
41

acme-inc

An app that does nothing.
Go
2
star
42

kinesis

Go program and library for streaming to Amazon Kinesis.
Go
2
star
43

gopheragent

A golang user-agent parser
Go
2
star
44

dockerdog

Better Docker event metrics for DataDog
Go
2
star
45

share-on-remind-extension

Share on Remind Extension
JavaScript
2
star
46

git-deploy

Ruby
2
star
47

amazon-ecs-agent

The official Amazon ECS Agent, with some Remind/Empire specific patches applied.
Makefile
2
star
48

activerecord-pgbouncer

ActiveRecord connection adapter for using PgBouncer safely.
Ruby
2
star
49

cloudsns

SNS polling library for cloudformation events
Python
2
star
50

action-require-reviewer

Github workflow action to require a reviewer on pushed branches
TypeScript
1
star
51

metrics

Go library for printing metrics in an l2met compatible format.
Go
1
star
52

e164.rb

e164.js but ruby
Ruby
1
star
53

all_my_circuits

Mostly threadsafe implementation of the CircuitBreaker pattern for Ruby.
Ruby
1
star
54

migrate_safely

Adds confirmation prompt for rake db:migrate
Ruby
1
star
55

beso

Ruby
1
star
56

pooled-redis

Connection pooled Redis client that utilizes promises.
JavaScript
1
star
57

AutoGraphCodeGen

Swift GraphQL Code Generator
Swift
1
star
58

email-provider

Give it an email address, and get the email provider back.
Ruby
1
star