Skip to content
/ assume-shell Public

A tool to create a shell with AWS environment credentials set

License

MIT license
3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

comebackoneyear/assume-shell

BranchesTags

Repository files navigation

assume-shell

This tool will request AWS credentials for a given profile/role and start a new shell with them in the environment.

Installation

If you have a working Go >=1.17 environment:

$ go install github.com/comebackoneyear/assume-shell/cmd/assume-shell@latest

If you have a working Go <1.17 environment:

$ go get -u github.com/comebackoneyear/assume-shell/cmd/assume-shell

Configuration

Setup a profile for each role you would like to assume in ~/.aws/config.

For example:

~/.aws/config:

[profile work]
region = eu-north-1

[profile stage]
# Stage AWS Account.
region = eu-west-1
role_arn = arn:aws:iam::00000001234:role/Admin
source_profile = work
duration_seconds = 43200

[profile prod]
# Production AWS Account.
region = us-east-1
role_arn = arn:aws:iam::00000005678:role/Deploy
source_profile = work
duration_seconds = 43200

~/.aws/credentials:

[work]
aws_access_key_id = <AWS_ACCESS_KEY_ID>
aws_secret_access_key = <AWS_SECRET_ACCESS_KEY>

Reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html

In this example, we have three AWS Account profiles:

  • work
  • stage
  • prod

Each member of the org has their own IAM user and access/secret key for the work AWS Account. The keys are stored in the ~/.aws/credentials file.

The stage and prod AWS Accounts have IAM roles named Admin and Deploy. The assume-shell tool helps a user authenticate (using their keys) and then assume the privilege of the the role, even across AWS accounts! The assumed shell will be valid for duration_seconds, default 900 seconds, it can not be greater than the role allows.

Usage

Start a new shell with the role stage:

$ assume-shell stage
Exported assumed role credentials for profile stage, expires in 11 hours 59 minutes
$

The assume-shell tool sets AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN environment variables and then executes the $SHELL. In addition the ASSUMED_PROFILE variable will be set to whatever profile was assumed. It will also set the environment variable ASSUMED_PROFILE_EXPIRES to a unix timestamp when the credentials will expire, useful if you want to implement something in your shell to detect when it happens.

TODO

  • Use default profile on empty argv
  • Add MFA support
  • Add brew installer or MacOS
  • Add Support to execute commands
  • Add support to configure shell prompt to show active profile
  • Test and add support for multiple shells (zsh, fish, powershell)

Credits

Heavily inspired by https://github.com/remind101/assume-role

About

A tool to create a shell with AWS environment credentials set

Topics

go aws utility assume-role awsudo

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 4

v0.4.0 Latest
Feb 14, 2022
+ 3 releases

Languages