hybby / aws-switchrole Goto Github PK

a tool for generating temporary aws credentials as export commands when you want to assume a role.

License: MIT License

Python 95.62% Makefile 4.38%

aws-switchrole's Introduction

aws-switchrole

a script to generate temporary credentials for aws roles.

use it if you need environment variablised credentials for use with tools that don't support role switching (looking at you apex).

usage

provide a profile name that you have configured in ~/.aws/config

$ aws-switchrole.py --profile profile-name [--duration-seconds <secs>]

if you don't provide a profile, you'll be asked to pick from a list.

optionally, provide a period of time you'd like the generated credentials to be valid for, in seconds (--duration-seconds). the minimum is 15 mins (900s). the maximum is 12 hrs (43200). an aws exception will be thrown if this is not valid. defaults to 1 hr (3600)

we then use the role_arn to perform an aws sts assume-role command and print out the resultant credentials as export commands, ready for you to use. for example:

export AWS_ACCESS_KEY_ID=xxx
export AWS_SECRET_ACCESS_KEY=xxx
export AWS_SESSION_TOKEN=xxx
export AWS_SECURITY_TOKEN=xxx

paste 'em into your shell and you're good to go for a while. creds last for one hour. sadly we can't set up the environment from a child process, so copy and pasting into your environment will have to do.

optionally the '--copy' option will copy the exports to the clipboard automatically

Installation

pip install aws-switchrole
ensure your ~/.aws/credentials and ~/.aws/config files are configured. i use the latter for profiles:

$ cat ~/.aws/credentials
[default]
aws_access_key_id = XXX
aws_secret_access_key = XXX

$ cat ~/.aws/config
[profile samplerole]
output = json
region = us-east-1
role_arn = arn:aws:iam::${aws_account_id_with_target_role}:role/SampleRoleName
mfa_serial = arn:aws:iam::${aws_account_id_with_iam_info}:mfa/your.iam.username
source_profile = default

Development

PRs welcome and encouraged.

Contributed code has to be compatible with python 2 and python 3

Publishing

for my own benefit, mainly.

make sure ~/.pypirc is configured correctly for pypitest and pypi.

tag your latest commit

git tag -a 0.1 'release notes'
git push --tags

upload to the test pypi with

python setup.py sdist upload -r pypitest

and the real one with

python setup.py sdist upload -r pypi

Set up

mkvirtualenv aws-switchrole
make requirements

Simulating package install

If you want to use the code as if it was installed in your virtualenv (for example to use the CLI tool while you develop):

pip install --editable . , where . is the path to the folder containing setup.py

aws-switchrole's People

Contributors

Stargazers

Watchers

Forkers

andrewphilp-pbt abjorshammar hussfelt martinwarby hwaxxer jessenia-fanduel

aws-switchrole's Issues

Missing License

@hybby could you add a license to this project? I might like to contribute a feature or two.

external_id not supported

Hi,

Didn't work when the role switch needs an external-id parameter.

What worked for me:

Extracted the external_id parameter from the profile in ~/.aws/config
added the --external-id parameter to the sts cmd
Removed the --profile parameter from the sts cmd. If not, the sts assume-role fail with:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::0000000:assumed-role/somerole/botocore-session-000000 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::0000000:role/somerole

The final cmd is:
['/usr/local/bin/aws', 'sts', 'assume-role', '--role-arn', 'arn:aws:iam::0000000:role/somerole', '--role-session-name', 'someprofile-00000000', '--external-id', 'some-external-id']

My  ~/.aws/config
[default]
region = my-region

[profile someprofile]
role_arn = arn:aws:iam::000000:role/some_role
source_profile = default
external_id = some-external-id 

My ~/.aws/credentials
[default]
aws_access_key_id =  KEY
aws_secret_access_key = SECRET

NameException when there are 0 profiles in config_file

aws-switchrole raises a NameException since config_file is not in scope of get_profile_choice which is a confusing error.

Allow aws-switchrole to work with multiple account structure (AWS Organizations)

Hello!

First off; thanks for a great tool!

Where I am currently working we have a setup with multiple aws accounts under one root account. All our users have an IAM user in our root account and are then allowed to assume different roles in the sub-accounts using cross-account policies.

With this tool defaulting to using the actual profile when assuming the role (https://github.com/hybby/aws-switchrole/blob/master/aws-switchrole.py#L149) it will fail for all assumes that does not specifically target a role in the sub-account that has sts:assumeRole privilege.

At least that's what I think is happening :-)

Looking into fixing this by adding an option to use default credentials when assuming the role chosen.

Example config:

[default]
region = eu-west-1
output = json
[preview]
cloudfront = true

[profile dr-account3]
role_arn = arn:aws:iam::1234567899:role/Administrator
source_profile = default
region = eu-west-1

[profile dr-account2]
source_profile = dr-otherprofile
region = eu-west-1

[profile dr-account1]
role_arn = arn:aws:iam::123456789:role/Implementation
source_profile = default
region = eu-west-1

Default credentials:

[default]
aws_access_key_id = AKIASOMKEY
aws_secret_access_key = SOMESECRET

Unset tokens before renew.

The tokens must be cleared after the session expired, so they can be renewed again.

unset AWS_SESSION_TOKEN
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY

if not, the script will try to get the tokens with the expired session:

An error occurred (ExpiredToken) when calling the AssumeRole operation: The security token included in the request is expired