remind101 / assume-role Goto Github PK
View Code? Open in Web Editor NEWEasily assume AWS roles in your terminal.
License: BSD 2-Clause "Simplified" License
Easily assume AWS roles in your terminal.
License: BSD 2-Clause "Simplified" License
I have installed using go get -u github.com/remind101/assume-role
I can run it if I am in $GOBIN and run ./assume-role
but just running assume-role
on my shell does not work.
I am using zsh and below is my go env
GOARCH="amd64"
GOBIN="/home/user/go/bin"
GOCACHE="/home/user/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/user/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build666753700=/tmp/go-build -gno-record-gcc-switches"
I get the same issue on bash too so I do not think this is a shell issue but I could be wrong.
It would be nice if I could use assume-role
to execute a binary with temporary credentials from GetSessionToken, like it can with AssumeRole. Unfortunately, this needs to happen upstream in the AWS SDK's first.
A use case would be to use assume-role to call GetSessionToken with the MFA token code first, then let another downstream binary assume roles with those creds, since it wouldn't need to know anything about MFA.
Observing that the output of aws sts assume-role
includes the Expiration
, I'd like to capture that data rather than discard it.
$ aws sts assume-role --role-arn "$role_arn" --serial-number "$mfa_serial" --token-code "$(totp_generator -s aws)" --role-session-name "$(id -un)"
{
"Credentials": {
"AccessKeyId": "AAAAAAAAAAAAAAAAAAAA",
"SecretAccessKey": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"SessionToken": "AAAAAAAAAAAAAAA//////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"Expiration": "2019-01-12T21:23:08Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "AAAAAAAAAAAAAAAAAAAAA:bruno",
"Arn": "arn:aws:sts::000000000000:assumed-role/allow-read-access-from-other-accounts/bruno"
}
}
I think a good name for this variable is AWS_SESSION_EXPIRATION to follow the pattern of most of the other variables. (That said, I also think ASSUMED_ROLE should be AWS_ASSUMED_ROLE, but that's a non backwards compatible change, and easy enough to fix with a wrapper.)
I have a long running stack deployment (CloudFront), using this with Serverless, MFA, and just had the whole thing quit with "The security token included in the request is expired".
What to do?
after running the command assume-role
along with
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
export AWS_SESSION_TOKEN=""
export AWS_SECURITY_TOKEN=""
export ASSUMED_ROLE=""
is it possible to add also export AWS_PROFILE=profile name
?
OR
replace ASSUMED_ROLE
with AWS_PROFILE
?
If you have AWS_* environment variables already set in your shell, then run assume-role, the old values will not be overridden.
This happens because os.Getenv()
returns a []string
and we simply append onto this.
The safest thing to do is probably remove any existing AWS_* environment variables.
/cc @phobologic
Steps
$ brew install assume-role
result ๐บ /usr/local/Cellar/assume-role/0.3.1: 3 files, 7.6MB, built in 2 seconds
assume-role dev
zsh: segmentation fault assume-role
Hey @ejholmes,
thanks for a great tool. Would you accept PR adding support for --duration-seconds
param?
AWS_DATA_PATH
for the default path to the AWS configs (with perhaps the current fallback of HOME
)AWS_CONFIG_FILE
for the path to the standard config
fileAWS_SHARED_CREDENTIALS_FILE
for the path to the credentials
fileWhen working with multiple AWS accounts, setting default credentials with environment variables is potentially dangerous. The tool should (at least via an optional flag) add a visible notification to terminal prompt to remind use which role has been assumed.
For now, I have a wrapper for this: assume-role-prompt.
I'm sorry. I accidentally opened the issue
Hi there,
I am using assume-role
to persist an AWS role and keep from having to re-enter 2FA token for every command. It is working great! Thanks for this very useful tool!
How long does an assume-role
session last, by default? Can that value be re-configured? Would be great to see a bit of info about that in the Readme.
Hi Getting below error when using assume-role
assume-role service | grep AWS | sed 's\export \'$'\n' | sed 's"\g' >> $HOME/.env
WARNING: using deprecated role file (/home/circleci/.aws/roles), switch to config file (https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html)
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x6d57df]
goroutine 1 [running]:
main.printCredentials(0x7fffd91a2fc3, 0x7, 0x0)
/home/circleci/.go_workspace/src/github.com/remind101/assume-role/main.go:134 +0x4f
main.main()
/home/circleci/.go_workspace/src/github.com/remind101/assume-role/main.go:101 +0x2ef
Exited with code 1
The last release for this project was over 2 years ago. Yet, there is active development on it. Could somebody create a release to pick up the changes?
Specifically, I would to use the --format bash option.
It just returns nothing. No logs, no debuggability. Thanks.
Set AWS_DEFAULT_REGION as well if set in profile config
I use git-bash on windows (what you get when you install git for windows).
I get the following error when running assume-role.
I assume it is because the app is expecting to only be run from powershell when on windows?
MinGW 01:53:33 ~/workspace/go/src/github.com/xxx/xxx$ assume-role eo
$env:AWS_ACCESS_KEY_ID="xxx"
$env:AWS_SECRET_ACCESS_KEY="xxx"
$env:AWS_SESSION_TOKEN=""
$env:AWS_SECURITY_TOKEN=""
$env:ASSUMED_ROLE="xx"
# Run this to configure your shell:
# C:\Users\xxx\workspace\programs\bin\assume-role.exe eo | Invoke-Expression
MinGW 01:53:41 ~/workspace/go/src/github.com/xxx/xxx$ $(assume-role eo)
bash: $env:AWS_ACCESS_KEY_ID="xxx": command not found
Can you please add instructions for building from source? (including for people unfamiliar with Go) I want to try the workaround in #54 (comment) but not sure how to build.
Would be really cool to have assume-role
distributed as a snap for linux. Any thoughts on this? It doesn't seem too hard: https://docs.snapcraft.io/go-applications
LICENSE
file to the repothe generated commands dont work properly in fish
https://fishshell.com/.
The correct syntax for fish
would be
set -gx AWS_ACCESS_KEY_ID=1234
...
If you eval, then wait 1 hour, then eval again, the call to AssumeRole fails because the existing credentials are present in the environment:
$ eval $(assume-role role)
$ sleep 1 hour
$ eval $(assume-role role)
A client error (ExpiredToken) occurred when calling the AssumeRole operation: The security token included in the request is expired
aws/aws-sdk-go#2201 was merged a few days ago, please update the aws-sdk-go so assume-role
is able to assume roles from EC2 instance metadata:
[acme-internal]
credential_source = Ec2InstanceMetadata
[acme-dev]
role_arn = arn:aws:iam::ACCOUNTID:role/service-role/ci-cd-prod-gitlab-runner
credential_source = Ec2InstanceMetadata
~/.aws/roles
duplicates the settings in ~/.aws/config
, which users will already have set if they use profiles with the AWS CLI (https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html). Can these be parsed directly out of ~/aws/config
instead of creating a new file?
I'm using the credential_process
config in .aws/credentials
. For ex:
[my-1p-profile]
credential_process = sh -c "op get item 'AWS -...
This allows me to pull my access key and secret key pair from a password manager. But if I use this profile as the source_profile
for assuming a role using assume-role
, I get the following error:
panic: SharedConfigAssumeRoleError: failed to load assume role for arn:aws:iam::REDACTED:role/REDACTED, source profile has no shared credentials
It could be a great addition to support this type of configuration.
Should the latest release 0.3.2 install with brew
?
$ brew upgrade remind101/formulae/assume-role
Error: remind101/formulae/assume-role 0.3.1 already installed
It would be great if there was a command line option that allows the user to supply the MFA code instead of using the tty after executing it.
Something like:
assume-role stage --mfa-code=123456
Hi,
I ran "assume-role dev"
$ assume-role dev
export AWS_ACCESS_KEY_ID="..."
export AWS_SECRET_ACCESS_KEY="..."
export AWS_SESSION_TOKEN="..."
export AWS_SECURITY_TOKEN="..."
export ASSUMED_ROLE="dev"
# Run this to configure your shell:
# eval $(assume-role dev)
Then I ran the eval to configure the console:
$eval $(assume-role dev)
But it shows the above info again. It seems it don't apply the eval command anywhere.
I'm using macOS Mojave (10.14.6).
Any ideas on what might be happening?
thanks in advance
AWS's assume role capability sometimes requires an "external ID" be specified (documentation.) Currently the assume-role
tool doesn't have a way for a user to specify that external ID, meaning that it cannot be used to assume any roles that are configured to check for it.
Adding this is just a matter of setting the ExternalId
parameter here. I'd be happy to send a PR to wire in the feature, is this repo still active and accepting PRs?
Using the AWS go SDK (https://docs.aws.amazon.com/sdk-for-go/api/service/sts/) would make assume-role
a self-contained binary instead of depending on the aws
CLI. Not urgent, the CLI is easy to installl; mostly interested if there's any reason why you prefer using the CLI instead of the SDK.
I have the main two aws environment variables already set:
MinGW 04:43:03 ~$ printenv | sort | grep AWS
AWS_ACCESS_KEY_ID=xxx
AWS_SECRET_ACCESS_KEY=xxx
When I run assume-role, it doesn't ask for my MFA and it just spits out the current variables:
MinGW 04:43:06 ~$ assume-role.exe eo
$env:AWS_ACCESS_KEY_ID="xxx"
$env:AWS_SECRET_ACCESS_KEY="xxx"
$env:AWS_SESSION_TOKEN=""
$env:AWS_SECURITY_TOKEN=""
$env:ASSUMED_ROLE="eo"
# Run this to configure your shell:
# C:\Users\xxx\workspace\programs\bin\assume-role.exe eo | Invoke-Expression
However, if I unset those environment variables, assume-role works properly and asks for my MFA and then gives me new environment variables.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.