setup-new-aws-user

module

v0.1.14 Latest Latest Go to latest Published: Apr 23, 2020 License: BSD-3-Clause

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/trussworks/setup-new-aws-user

Links

Open Source Insights

README ¶

setup-new-aws-user

This tool is used to grant programmatic access to AWS account(s) using aws-vault. It works by taking a temporary set of AWS access keys for a new IAM user. It then generates a virtual MFA device and permanent set of access keys. Finally, it removes the temporary access keys.

Installation

For Mac OS Homebrew:

brew tap trussworks/tap
brew install setup-new-aws-user

Usage

Prerequisites

Dependencies

brew cask install aws-vault

Before running this tool, you will need to following pieces of information

IAM role - This is the IAM Role with permissions allowing access to AWS APIs and services. This is usually something like admin or engineer.
IAM user name - This is your IAM username.
AWS profile - This is the name that populates your ~/.aws/config profile name. It is usually the name of the aws account alias you are trying to access.
AWS account Id - This is the 12-digit account number of the AWS account you are trying to access.
Temporary AWS access keys - These should be given to you by an administrator of the AWS account you are trying to access. The tool will prompt you for the access key id and secret access key.

Running the tool

Run the setup-new-user - setup-new-aws-user --role <IAM_ROLE> --iam_user <USER> --profile=<AWS_PROFILE> --account-id=<AWS_ACCOUNT_ID>
Enter the access keys generated when prompted.
The script will open a window with a QR code, which you will use to configure a temporary one time password (TOTP).
You'll then need to create a new entry in your 1Password account configure it with a TOTP field.
Use 1Password to scan the QR code and hit save. New TOTP tokens should generate every 30 seconds.
From here the tool will prompt you for 3 unique TOTP tokens. NOTE Take care not to use the same token more than once, as this will cause the process to fail.
Once the tool has completed, you should be able to access the AWS account. You can run the following command filling in the AWS_PROFILE value

aws-vault exec AWS_PROFILE -- aws sts get-session

Development setup

First, install these packages: brew install pre-commit direnv go
Next, clone the project repository.
Finally, run these commands inside the local repo: direnv allow
The .envrc will be loaded if direnv is installed.

Testing

Unit Tests

Run pre-commit and Go tests

make test

Integration / End 2 End Testing

For testing, create a test IAM user so as not to interfere with your primary user credentials and AWS config settings. The test user will need the enforce-mfa policy and permission to assume whichever role being assigned. Generate an access key for the user, and use those when running the script. For the AWS profile, do not use an existing profile name. You can use a dummy name for the profile; it doesn't need to match the account alias. However, you must use the real AWS account ID.

Example:

go run cmd/main.go --role engineer --iam-user testuser --account-id 123456789012  --profile test-profile-name

After running the script, try a command to ensure the new profile works as expected:

Example (include AWS_VAULT_KEYCHAIN_NAME if the environment variable is not set):

AWS_VAULT_KEYCHAIN_NAME=login aws-vault exec test-profile-name -- aws sts get-caller-identity

Directories ¶

Path	Synopsis
cmd

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL