setup-new-aws-user

module

v0.1.11 Latest Latest Go to latest Published: Mar 10, 2020 License: BSD-3-Clause

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/trussworks/setup-new-aws-user

Links

Open Source Insights

README ¶

setup-new-aws-user

This script creates a virtual MFA device and rotates access keys for a new AWS user.

Installation

For OSX Homebrew:

$ brew tap trussworks/tap
$ brew install setup-new-aws-user

Usage

The script accepts a number of arguments, either as environment variables or command-line flags:

Usage:
  main [OPTIONS]
  Application Options:
    --region=     The AWS region (default: us-west-2) [$AWS_REGION]
    --account-id= The AWS account number [$AWS_ACCOUNT_ID]
    --profile=    The AWS profile name [$AWS_PROFILE]
    --iam-user=   The IAM user name
    --role=       The user role type
    --output=     The AWS CLI output format (default: json)
  Help Options:
    -h, --help        Show this help message

For the arguments that accept either an environment variable or command-line flag, the environment variable takes precedence if both are provided due to the way go-flags works.

Setup new IAM user

Have admin user run through these instructions in legendary-waddle repo to generate access keys.
Set AWS_ACCOUNT_ID and AWS_PROFILE variables in one of three ways:
- Save to an .envrc.local file
- Set them as local environment variables on your terminal, or
- Pass them through as flags when you run this script (i.e. go run cmd/main.go --role <ROLE> --iam-user <USER> --profile=<AWS_PROFILE> --account-id=<AWS_ACCOUNT_ID>)
Run the setup-new-user script: go run cmd/main.go --role <ROLE> --iam_user <USER>
Enter the access keys generated when prompted.
The script will display a QR code for an MFA device at some point. Create an entry in your 1Password account with a One Time Password (OTP) field and be ready to scan it with the 1Password app. Currently works only with mobile app.

NOTE You will be asked for your MFA (TOTP) tokens three times while validating the new virtual MFA device and rotating your access keys. Take care not to use the same token more than once, as this will cause the process to fail.

Dev setup

First, install these packages:
- brew install pre-commit
- brew install direnv
Next, clone the project repository.
Finally, run these commands inside the local repo:
- pre-commit install --install-hooks
- direnv allow
The .envrc will be loaded if direnv is installed.

Testing

For testing, create a test IAM user so as not to interfere with your primary user credentials and AWS config settings. The test user will need the enforce-mfa policy and permission to assume whichever role being assigned. Generate an access key for the user, and use those when running the script. For the AWS profile, do not use an existing profile name. You can use a dummy name for the profile; it doesn't need to match the account alias. However, you must use the real AWS account ID.

Example:

go run cmd/main.go --role engineer --iam-user testuser --account-id 123456789012  --profile test-profile-name

After running the script, try a command to ensure the new profile works as expected:

Example (include AWS_VAULT_KEYCHAIN_NAME if the environment variable is not set):

AWS_VAULT_KEYCHAIN_NAME=login aws-vault exec test-profile-name -- aws sts get-caller-identity

Directories ¶

Path	Synopsis
cmd

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL