AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOTP MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.
APACHE-2.0 License
🚧 Work-in-Progress | 🚀 ⁉️ Publish Plan |
---|---|
Since version v0.13.x this tool is considered "mostly stable": Breaking changes may occur if really needed but not arbitrarily. |
I'm hoping to release v1.0.0 during H2/2022. No commitments though! |
Much like spending a week in Las Vegas at AWS re:Invent, using multiple AWS tools (SDKs, CLI, CDK, Terraform, etc) via command-line to assume IAM roles in different accounts with Multi-Factor Authentication can be an exhausting experience:
vegas-credentials
aims to simplify the credential process! And just like you shouldn't stay too long in Las Vegas at once, this tool only deals with temporary sesssion credentials.
Vegas Credentials is an utility with smooth user experience that plugs into AWS credential_process
to assume IAM Roles with TOTP MFA (with optional Yubikey Touch support) to fetch, cache and refresh assumed temporary session credentials.
For guides, examples and full documentation, go to https://credentials.vegas.
Via Homebrew on MacOS, GNU/Linux and Windows Subsystem for Linux (WSL):
brew install aripalo/tap/vegas-credentials
Via Scoop on Windows:
scoop bucket add aripalo https://github.com/aripalo/scoops.git && scoop install vegas-credentials
Configure your source profile and its credentials, most often it's the default
one which you configure into ~/.aws/credentials
:
# ~/.aws/credentials
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Configure your source profile in config:
# ~/.aws/config
[default]
mfa_serial = arn:aws:iam::111111111111:mfa/FrankSinatra
Note: if your source profile is not default
, remember to add profile
as prefix (profile foo
)
Configure your target profile with credential_process
into ~/.aws/config
:
# ~/.aws/config
[profile frank@concerts]
credential_process = vegas-credentials assume --profile=frank@concerts
vegas_role_arn=arn:aws:iam::222222222222:role/SingerRole
vegas_source_profile=default
# You may also provide any other additional standard AWS configuration, such as:
region = us-west-1
duration_seconds = 4383
role_session_name = SinatraAtTheSands
external_id = 0093624694724
Note: role_arn
& source_profile
must be prefixed with vegas_
to prevent AWS tooling to ignore credential_process
setting and to prevent Terraform failing.
Use any AWS tooling that support ini-based configuration with credential_process
, like AWS CLI v2:
aws sts get-caller-identity --profile frank@concerts