assume_role_with_mfa

command module

v0.0.0-...-5eef9a8 Latest Latest Go to latest Published: Dec 16, 2023 License: MIT Imports: 20 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/LeanerCloud/assume_role_with_mfa

Links

Open Source Insights

README ¶

assume_role_with_mfa

A small MFA GUI tool designed to be used as credential_proces for AWS CLI configuration profiles.

This is a workaround for the official AWS MFA setup, that works for the CLI but is apparently broken for the Go SDK, as reported at aws-sdk-go-v2/#2356.

[profile broken-sdk]
source_profile = users
role_arn=arn:aws:iam::bbbbbbbbbbbb:role/MyAssumedRole
mfa_serial = arn:aws:iam::aaaaaaaaaaaaa:mfa/my-mfa

Instead, we integrate as a credential_process, which is better supported by the Go SDK.

Features

It actually works for the Go SDK :-D
Ask for MFA using a graphical user interface.
Caches credentials locally for subsequent access.

Prerequisites

Go (version 1.15 or later)
Valid AWS credentials configured as a profile in the AWS CLI credentials file.
An AWS account configured with an MFA device

Installation

Assuming you have Go set up and $PATH set to $GOPATH/bin, you will need to run the following command:

go install github.com/LeanerCloud/assume_role_with_mfa@latest

Usage

Create this configuration in the ~/.aws/config file, making sure the path is correct.

You can also test the command in a shell to see how it works.

[profile my_mfa]
credential_process = /Users/USERNAME/go/bin/assume_role_with_mfa -mfa-arn arn:aws:iam::XXXXXXXXXXXX:mfa/mfa -profile another-profile-having-static-credentials -role-arn arn:aws:iam::YYYYYYYYYYYY:role/myRole
region = MY_REGION

Use this new profile as usual and you will be asked for the MFA code using this little GUI tool.

The tool will then assume the role using the MFA code and provide some temporary credentials to that profile.

Credential caching

To avoid asking for MFA repeatedly, we cache the obtained credentials in a file located in the Fyne application's storage directory, and the cached credentials will be reused until they expire.

The cache filename is a SHA256 hash of the role ARN to uniquely identify the credentials when switching between profiles/roles.

Check out our other open-source projects

awesome-finops - a more up-to-date and complete fork of jmfontaine/awesome-finops.
Savings Estimator - estimate Spot savings for ASGs.
AutoSpotting - convert On-Demand ASGs to Spot without config changes, automated divesification, and failover to On-Demand.
EBS Optimizer - automatically convert EBS volumes to GP3.
ec2-instances-info - Golang library for specs and pricing information about AWS EC2 instances based on the data from ec2instances.info.
ipv4-cost-viewer - shows the future public IPv4 costs for a variety of AWS resources across all AWS regions from an account in a user-friendly terminal UI.

For more advanced features of some of these tools, as well as comprehensive cost optimization services focused on AWS, visit our commercial offerings at LeanerCloud.com.

Support

Reach out to us on Slack if you need help or have any questions about this or any of our projects.

Contributing

Contributions to this project are welcome! You can contribute in the following ways:

Report Issues: If you find any bugs or have feature suggestions, please create an issue.
Submit Pull Requests: Feel free to fork the repository and submit pull requests with bug fixes or new features.