aws-auth

command module

v0.1.0-rc5 Latest Latest Go to latest Published: Dec 23, 2020 License: MIT Imports: 1 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/joshdk/aws-auth

README ¶

AWS Auth

🔐 Manage AWS credential for a range of workflows

Installing

A prebuilt release binary can be downloaded by running:

$ wget -q https://github.com/joshdk/aws-auth/releases/download/v0.1.0/aws-auth-linux-amd64.tar.gz
$ tar -xf aws-auth-linux-amd64.tar.gz
$ sudo install aws-auth /usr/bin/aws-auth

Alternatively, a development version of this tool can be installed by running:

$ go get -u github.com/joshdk/aws-auth

Configuration

Configs and Credentials

The aws-auth tool uses the AWS configuration files (located at ~/.aws/config and ~/.aws/credentials) as the source of profile definitions.

For background information on these two file, please take a look at:

Profiles

A named profile within the AWS config can define a few different things:

A user defines AWS credentials that can be used directly:

[default]
aws_access_key_id = AKIA...RBDY
aws_secret_access_key = asBY...z6WT

A role can be used after an assume-role API call. A named profile is also referenced, and is used as the source credentials for the API call.

[profile dev-role]
source_profile = default
role_arn = arn:aws:iam::000000000000:role/my-role

A session can be used after an get-session-token API call. A named profile is also referenced, and is used as the source credentials for the API call.

[profile dev-session]
source_profile = default

Note - The session configuration is non-standard and will not work with the AWS CLI.

Profile Chains

By using a series of named profile references, a profile "chain" can be defined which describes a series of role/session profile that can be used to derive new credentials from an original user.

[default]
aws_access_key_id = AKIA...RBDY
aws_secret_access_key = asBY...z6WT

[profile temp]
source_profile = default

[profile production]
source_profile = temp
role_arn = arn:aws:iam::000000000000:role/my-role

In the above example, we have a default profile user which has AWS credentials.

There is also a temp profile session, which can derive its credentials from the default profile using get-session-token.

Finally, there is a production profile role, which can derive its credentials from the temp profile using assume-role.

If credentials for the production profile are requested, aws-auth will automate the series of necessary API calls.

Multi-Factor Authentication

You can configure aws-auth to prompt for MFA codes if necessary.

[profile dev-role]
source_profile = default
role_arn = arn:aws:iam::000000000000:role/my-role
mfa_serial = arn:aws:iam::000000000000:mfa/my-user
mfa_message = Please enter MFA code for dev:

The mfa_serial property references a virtual MFA device that has already been configured for an IAM user in AWS.

The mfa_message property can be used to display a custom message to the user. Note: This property is non-standard and will be ignored by the AWS CLI.

Yubikeys

If you have enrolled a Yubikey as your MFA device, you can configure aws-auth to prompt your Yubikey to generate an MFA code directly.

[profile dev-role]
source_profile = default
role_arn = arn:aws:iam::000000000000:role/my-role
mfa_serial = arn:aws:iam::000000000000:mfa/my-user
mfa_message = Please touch your Yubikey now!
yubikey_slot = aws-dev-mfa

The yubikey_slot property can be used to specify the Yubikey oath slot used for generating a code. Note: This property is non-standard and will be ignored by the AWS CLI.

Usage

Help!

$ aws-auth --help

aws-auth - Manage AWS credential for a range of workflows

Usage:
  aws-auth [flags]
  aws-auth [command]

Available Commands:
  console     Generate an AWS Console login URL
  help        Help about any command

Flags:
  -h, --help             help for aws-auth
  -p, --profile string   config profile to target (default "default")
  -v, --version          version for aws-auth

Use "aws-auth [command] --help" for more information about a command.

Generating Credentials

Credentials (in the form of export-able environment variables) for a named profile can be generated like so:

$ aws-auth --profile dev

export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...
export AWS_ARN=...
export AWS_ACCOUNT_ID=...
export AWS_EXPIRATION=...

A login URL for the AWS Console can also be generated for a role:

$ aws-auth --profile dev console

https://signin.aws.amazon.com/federation?Action=login...

License

This code is distributed under the MIT License, see LICENSE.txt for more information.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
cmd
console
config
console
mfa
transformers

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL