Skip to content

Latest commit

 

History

History
executable file
·
122 lines (78 loc) · 5.42 KB

README.md

File metadata and controls

executable file
·
122 lines (78 loc) · 5.42 KB

Overview

This script retrieves temporary IAM user credentials (with MFA) or role credentials from AWS STS, and generates or updates standard credentials and config files for use with AWS CLI, Boto, or anything else that uses AWS profiles.

Requirements

Usage

  • To get credentials: token <profilename>
  • To export credentials into environment variables: awsenv <profilename>

Getting started

Warning: The config file is recreated each time. Any customizations should be done in the credentials file or the profile files.

File and shell changes

Run the setup.sh script or perform the following four steps manually:

  1. Clone the git repo into a local directory (we'll be using ~/aws-token-refresh in these examples):
git clone https://github.com/seren/aws-token-refresh.git ~/aws-token-refresh
  1. Create a directory for credentials (most tools expect them to be in ~/.aws). Create a aws-profiles directory within:
mkdir -p ${HOME}/.aws/aws-profiles
chmod 700 ${HOME}/.aws/aws-profiles
  1. In profile-additions.sh, update the AWS_SCRIPTS_DIR value file to the directory containing the scripts (ex. ${HOME}/aws-token-refresh).

  2. In your shell's login profile (usually .bash_profile, if you use bash), source profile-additions.source_me:

echo 'source "${HOME}/aws-token-refresh/profile-additions.source_me"' >> ${HOME}/.profile

Create the IAM profiles

Create profile files in ~/.aws/aws-profiles/. These files are what are used to generate the credentials file (for the aws cli tools) and config file (formated slightly differently for boto). They should have at least the following information:

Note: You can also create profiles for non-IAM accounts or accounts that don't use MFA. They'll be added to the credentials and config files.

  • For an IAM user profile:

    [mainuser]
    # An optional comment. Blah
    aws_access_key_id = AKIAJHEGCHEXAMPLE
    aws_secret_access_key = fSU2a3BdmxVX5cX0+HFw6IBcNaEXAMPLEKEY
    mfa_id = arn:aws:iam::12342567890:mfa/mainuser
    account_id = 12342567890
    region = us-east-1
    mfa_type = virtual
    
    • [profilename] - The nickname you want to give this profile. It needs to match the filename.
    • # Blah - You may place comment lines within the profile
    • aws_access_key_id - Key for IAM user (starts with AKAI)
    • aws_secret_access_key - Key secret for IAM user
    • mfa_id - The ARN of the virtual MFA device from the IAM user credentials page
    • account_id - Optional, but useful to avoid confusion when using multiple profile files
    • region - Optional. Useful if you always use the same region, or want to use different nicknames for different regions
    • mfa_type - Optional. If not specified, user is prompted for the MFA token. Possible values:
      • virtual (an MFA-generating app, specified as MFA_PROGRAM in aws-token-or-role-refresh.sh)
      • yubikey (hardware token)
  • For an IAM role profile:

    [profilename]
    # An optional comment. Blah
    role_name = myadminrole
    account_id = 12342567890
    master_profile = mainuser
    region = us-east-1
    
    • [profilename] - The nickname you want to give this profile. It needs to match the filename.
    • # Blah - You may place comment lines within the profile
    • role_name - The name of the IAM role to assume. NOTE: The presence of this is also used to determine whether a profile is a "user" profile or a "role" profile.
    • account_id - The account ID that the role is in. Used, along with the role_name, to form the role ARN
    • master_profile - The name of the user profile which has permissions to assume this role.
    • region - Optional. Useful if you always use the same region, or want to use different nicknames for different regions

Notes

  • The script only modifies individual profile sections of the credentials file, so you can add extra profiles to the credentials file manually without them being overwritten.

  • The config file is recreated from the credentials file during each run, so any customization should be done in the credentials file.

  • The [profilename] must match the profile filename, but doesn't need to match the IAM role name.

AWS Web Console Tips

If you've just started using roles, the AWS Web Console has a nice feature where you can switch between them. It can remember up to 5 recently switched-to roles. To add a role, choose the Switch Role option in the user menu in the upper-right menu bar of the web console page, or enter a url like so:

https://signin.aws.amazon.com/switchrole?account=1234567890&roleName=myadminrole&displayName=account1-admin

For more than 5 roles, you may want to check out browser extensions/add-ons such as aws-extend-switch-roles