aidanmelen/awscli_bastion


awscli-bastion extends the awscli by managing mfa protected short-lived credentials for an AWS Bastion account.

https://awscli-bastion.readthedocs.io/en/latest/

License: MIT

Language: Python


awscli_bastion

Documentation Status Updates

awscli-bastion extends the awscli by managing mfa protected short-lived credentials for an AWS Bastion account.

https://raw.githubusercontent.com/aidanmelen/awscli_bastion/master/docs/awscli-bastion.png

Install

$ pip install awscli-bastion

Configure

  1. Ensure that your AWS Bastion account is configured to use multi-factor authentication and iam roles.
  2. Ensure the awscli is configured as follows:

~/.aws/credentials:

# stores long-lived iam user credentials from the bastion account
# these are fake credentials
[bastion]
aws_access_key_id = ASIA554SXDVIHKO5ACW2
aws_secret_access_key = VLJQKLEqs37HCDG4HgSDrxl1vLNrk9Is8gm0VNfA

# stores short-lived sts.get_session_token() credentials for the bastion account
[bastion-sts]
mfa_serial = arn:aws:iam::123456789012:mfa/aidan-melen
credential_process = bastion get-session-token
source_profile = bastion

# assume role profiles store short-lived sts.assume_role() credentials
[dev-admin]
role_arn = arn:aws:iam::234567890123:role/admin
source_profile = bastion-sts

[stage-poweruser]
role_arn = arn:aws:iam::345678901234:role/poweruser
source_profile = bastion-sts

[prod-spectator]
role_arn = arn:aws:iam::456789012345:role/spectator
source_profile = bastion-sts

~/.aws/config:

[default]
region = us-west-2
output = json

Usage

Run aws commands normally and the credential_process, role_arn, and source_profile will handle the rest:

$ aws sts get-caller-identity --profile dev-admin
Enter MFA code for arn:aws:iam::123456789012:mfa/aidan-melen:
{
    "UserId": "AAAAAAAAAAAAAAAAAAAAA:botocore-session-1234567890",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::234567890123:assumed-role/admin/botocore-session-1234567890"
}

$ aws sts get-caller-identity --profile stage
{
    "UserId": "BBBBBBBBBBBBBBBBBBBBB:botocore-session-2345678901",
    "Account": "345678901234",
    "Arn": "arn:aws:sts::345678901234:assumed-role/poweruser/botocore-session-2345678901"
}

$ aws sts get-caller-identity --profile prod
{
    "UserId": "CCCCCCCCCCCCCCCCCCCCC:botocore-session-3456789012",
    "Account": "456789012345",
    "Arn": "arn:aws:sts::456789012345:assumed-role/spectator/botocore-session-3456789012"
}

You will only be prompted for the mfa code when the cached bastion-sts credentials expire.

Special Usage

The bastion sub-commands support writing credentials to the ~/.aws/credentials file in addition to the ~/.aws/cli/cache directory. This is required for tools such as terraform that do not support the awscli cache.

Configure the aws bastion alias sub-command in the ~/.aws/cli/alias to automate the steps for each profile:

[toplevel]

bastion =
    !f() {
        if [ $# -eq 0 ]
        then
            bastion get-session-token --write-to-aws-shared-credentials-file
        else
            bastion get-session-token --write-to-aws-shared-credentials-file --mfa-code $1
        fi
        bastion assume-role dev-admin
        bastion assume-role stage-poweruser
        bastion assume-role prod-spectator
        echo "Successfully assumed roles in all AWS accounts!"
    }; f

Write sts credentials to the aws shared credentials with our aws bastion alias command:

$ aws bastion
Enter MFA code for arn:aws:iam::123456789012:mfa/aidan-melen:
Setting the 'bastion-sts' profile with sts get session token credentials.
Setting the 'dev-admin' profile with sts assume role credentials.
Setting the 'stage-poweruser' profile with sts assume role credentials.
Setting the 'prod-spectator' profile with sts assume role credentials.
Successfully assumed roles in all AWS accounts!

Now your bastion-sts and assume role profiles will be populated with sts credentials.

Bastion Minimal

If you are like me, you do not trust open-source tools and libraries to handle admin credentials for your aws accounts. awscli_bastion/minimal.py is written as a script that offers minimal bastion functionality. It is intended to be quick and easy to understand. A minimal number of python libraries are used to reduce security risks.

Configure the aws bastion-minimal alias sub-command in the ~/.aws/cli/alias to automate the steps for each profile:

[toplevel]

bastion-minimal =
    !f() {
        TOKEN_CODE=$1

        bastion-minimal dev-admin $TOKEN_CODE
        bastion-minimal stage-poweruser
        bastion-minimal prod-spectator

        if [ $? == 0 ]
        then
            echo "Successfully assumed roles in all AWS accounts!"
        else
            echo "Failed to assumed roles in all AWS accounts :("
        fi
    }; f

Write sts credentials to the ~/.aws/credentials file with our aws bastion-minimal alias command:

$ aws bastion-minimal 123456
Setting the 'bastion-sts' profile with sts get session token credentials.
Setting the 'dev-admin' profile with sts assume role credentials.
Setting the 'stage-poweruser' profile with sts assume role credentials.
Setting the 'prod-spectator' profile with sts assume role credentials.
Successfully assumed roles in all AWS accounts!

Now your bastion-sts and assume role profiles will be populated with sts credentials.

Credits

This package was created with Cookiecutter and the audreyr/cookiecutter-pypackage project template.

Project Statistics

Sourcerank 3
Repository Size 162 KB
Stars 0
Forks 0
Watchers 1
Open issues 0
Dependencies 9
Contributors 1
Tags 5
Created
Last updated
Last pushed

Top Contributors See all

Aidan Melen

Packages Referencing this Repo

awscli-bastion
awscli-bastion extends the awscli by managing mfa protected short-lived credentials for an aws ba...
Latest release 0.6.0 - Updated

Recent Tags See all

v0.4.0 September 14, 2019
0.4.0 September 14, 2019
0.3.0 September 14, 2019
v0.3.0 September 14, 2019
v0.2.0 September 14, 2019

Something wrong with this page? Make a suggestion

Last synced: 2019-09-17 02:58:41 UTC

Login to resync this repository