Skip to content

Latest commit

 

History

History
288 lines (202 loc) · 8.05 KB

README.md

File metadata and controls

288 lines (202 loc) · 8.05 KB

assume-role

assume-role logo

Assume IAM roles through an AWS Bastion account with MFA via the command line.

AWS Bastion accounts store only IAM users providing a central, isolated account to manage their credentials and access. Trusting AWS accounts create IAM roles that the Bastion users can assume, to allow a single user access to multiple accounts resources. Under this setup, assume-role makes it easier to follow the standard security practices of MFA and short lived credentials.

Installation

Requirements

assume-role requires jq and aws CLI tools to be installed.

Bash

  1. Clone Repository

  2. For easier updates create a symlink from your repository assume-role or assume-role-okta file to /usr/local/bin/<assume-role>

    Example

    ln -s <Git-Repository>/assume-role-okta /usr/local/bin/assume-role-okta
  3. Add execution permissions

    chmod +x <Git-Repository>/assume-role-okta

Getting Started

Make sure that credentials for your AWS bastion account are stored in ~/.aws/credentials.

Out of the box you can call assume-role like:

eval $(assume-role account-id role mfa-token)

If your shell supports bash functions (e.g. zsh) then you can add source $(which assume-role) to your rc file (e.g. ~/.zshrc), then you can call assume-role like:

Auto autocompleter

If you want to have a autocompleter for the accounts from your aws-config add the following at the beginning of your .zshrc file:

ZSH

Copy/link zsh function

ln -s <Git-Repository>/_assume_role ~/zsh_functions/_assume_role

Bash

fpath=(~/zsh_functions $fpath)

autoload -U compinit
compinit

ZSH Segments

If you are using oh-my-zsh, a nice way to integrate this into the powerline segments (the relevant one being the custom_assume_role, the other segmenst are merely an example) would be to do the following:

p10k configure
  • Add the following to your .zshrc
source $(which assume-role)
export POWERLEVEL9K_LEFT_PROMPT_ELEMENTS=(root_indicator context dir dir_writable rbenv chruby nodeenv pyenv aws custom_assume_role vcs)
export POWERLEVEL9K_RIGHT_PROMPT_ELEMENTS=(status command_execution_time background_jobs detect_virt disk_usage load ram time)

export POWERLEVEL9K_CUSTOM_ASSUME_ROLE="echo \$AWS_ACCOUNT_NAME"
export POWERLEVEL9K_CUSTOM_ASSUME_ROLE_FOREGROUND="black"
export POWERLEVEL9K_CUSTOM_ASSUME_ROLE_BACKGROUND="yellow"

ZSH_THEME="powerlevel9k/powerlevel9k"

Bash

For bash you could put the following in your .bash_profile file:

source $(which assume-role)

function aws_account_info {
  [ "$AWS_ACCOUNT_NAME" ] && [ "$AWS_ACCOUNT_ROLE" ] && echo -n "aws:($AWS_ACCOUNT_NAME:$AWS_ACCOUNT_ROLE) "
}

PROMPT_COMMAND='aws_account_info'

YubiKey Integration

Prerequisites

You have to install ykman for your distribution

Installation

If you want to use your YubiKey as MFA, there is the feature to use the oath Feature of Yubikey:

You have to add your MFA Hash to oath:

ykman oath add -t NameOfYourChoice <YOUR_BASE_32_KEY>

After that you can add the following ENV Variable to your profile:

export YUBIKEY_MFA="NameOfYourChoice"

Usage

Now, when assume-role needs a MFA it will ask you to Touch your YubiKey