remind101 / assume-role Goto Github PK

Hi,

I ran "assume-role dev"

$ assume-role dev
export AWS_ACCESS_KEY_ID="..."
export AWS_SECRET_ACCESS_KEY="..."
export AWS_SESSION_TOKEN="..."
export AWS_SECURITY_TOKEN="..."
export ASSUMED_ROLE="dev"
# Run this to configure your shell:
# eval $(assume-role dev)

Then I ran the eval to configure the console:

$eval $(assume-role dev)

But it shows the above info again. It seems it don't apply the eval command anywhere.

I'm using macOS Mojave (10.14.6).

Any ideas on what might be happening?

thanks in advance

Hi there,

I am using assume-role to persist an AWS role and keep from having to re-enter 2FA token for every command. It is working great! Thanks for this very useful tool!

How long does an assume-role session last, by default? Can that value be re-configured? Would be great to see a bit of info about that in the Readme.

I have the main two aws environment variables already set:

MinGW 04:43:03 ~$ printenv | sort | grep AWS
AWS_ACCESS_KEY_ID=xxx
AWS_SECRET_ACCESS_KEY=xxx

When I run assume-role, it doesn't ask for my MFA and it just spits out the current variables:

MinGW 04:43:06 ~$ assume-role.exe eo
$env:AWS_ACCESS_KEY_ID="xxx"
$env:AWS_SECRET_ACCESS_KEY="xxx"
$env:AWS_SESSION_TOKEN=""
$env:AWS_SECURITY_TOKEN=""
$env:ASSUMED_ROLE="eo"
# Run this to configure your shell:
# C:\Users\xxx\workspace\programs\bin\assume-role.exe eo | Invoke-Expression

However, if I unset those environment variables, assume-role works properly and asks for my MFA and then gives me new environment variables.

Using the AWS go SDK (https://docs.aws.amazon.com/sdk-for-go/api/service/sts/) would make assume-role a self-contained binary instead of depending on the aws CLI. Not urgent, the CLI is easy to installl; mostly interested if there's any reason why you prefer using the CLI instead of the SDK.

When working with multiple AWS accounts, setting default credentials with environment variables is potentially dangerous. The tool should (at least via an optional flag) add a visible notification to terminal prompt to remind use which role has been assumed.

For now, I have a wrapper for this: assume-role-prompt.

If you have AWS_* environment variables already set in your shell, then run assume-role, the old values will not be overridden.

This happens because os.Getenv() returns a []string and we simply append onto this.

The safest thing to do is probably remove any existing AWS_* environment variables.

/cc @phobologic

Can you please add instructions for building from source? (including for people unfamiliar with Go) I want to try the workaround in #54 (comment) but not sure how to build.

I use git-bash on windows (what you get when you install git for windows).
I get the following error when running assume-role.
I assume it is because the app is expecting to only be run from powershell when on windows?

MinGW 01:53:33 ~/workspace/go/src/github.com/xxx/xxx$ assume-role eo
$env:AWS_ACCESS_KEY_ID="xxx"
$env:AWS_SECRET_ACCESS_KEY="xxx"
$env:AWS_SESSION_TOKEN=""
$env:AWS_SECURITY_TOKEN=""
$env:ASSUMED_ROLE="xx"
# Run this to configure your shell:
# C:\Users\xxx\workspace\programs\bin\assume-role.exe eo | Invoke-Expression
MinGW 01:53:41 ~/workspace/go/src/github.com/xxx/xxx$ $(assume-role eo)
bash: $env:AWS_ACCESS_KEY_ID="xxx": command not found

Hey @ejholmes,

thanks for a great tool. Would you accept PR adding support for --duration-seconds param?

after running the command assume-role

along with

export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
export AWS_SESSION_TOKEN=""
export AWS_SECURITY_TOKEN=""
export ASSUMED_ROLE="" 

is it possible to add also export AWS_PROFILE=profile name ?
OR
replace ASSUMED_ROLE with AWS_PROFILE ?

Would be really cool to have assume-role distributed as a snap for linux. Any thoughts on this? It doesn't seem too hard: https://docs.snapcraft.io/go-applications

aws/aws-sdk-go#2201 was merged a few days ago, please update the aws-sdk-go so assume-role is able to assume roles from EC2 instance metadata:

[acme-internal]
credential_source = Ec2InstanceMetadata

[acme-dev]
role_arn = arn:aws:iam::ACCOUNTID:role/service-role/ci-cd-prod-gitlab-runner
credential_source = Ec2InstanceMetadata

Set AWS_DEFAULT_REGION as well if set in profile config

If you eval, then wait 1 hour, then eval again, the call to AssumeRole fails because the existing credentials are present in the environment:

$ eval $(assume-role role)
$ sleep 1 hour
$ eval $(assume-role role)

A client error (ExpiredToken) occurred when calling the AssumeRole operation: The security token included in the request is expired

~/.aws/roles duplicates the settings in ~/.aws/config, which users will already have set if they use profiles with the AWS CLI (https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html). Can these be parsed directly out of ~/aws/config instead of creating a new file?

Steps

1. $ brew install assume-role
   result 🍺 /usr/local/Cellar/assume-role/0.3.1: 3 files, 7.6MB, built in 2 seconds

2. assume-role dev
   zsh: segmentation fault assume-role

I'm sorry. I accidentally opened the issue

the generated commands dont work properly in fish https://fishshell.com/.

The correct syntax for fish would be

set -gx AWS_ACCESS_KEY_ID=1234
...

Hi Getting below error when using assume-role

assume-role service | grep AWS | sed 's\export \'$'\n' | sed 's"\g' >> $HOME/.env

WARNING: using deprecated role file (/home/circleci/.aws/roles), switch to config file (https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html)
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x6d57df]

goroutine 1 [running]:
main.printCredentials(0x7fffd91a2fc3, 0x7, 0x0)
/home/circleci/.go_workspace/src/github.com/remind101/assume-role/main.go:134 +0x4f
main.main()
/home/circleci/.go_workspace/src/github.com/remind101/assume-role/main.go:101 +0x2ef
Exited with code 1

It would be great if there was a command line option that allows the user to supply the MFA code instead of using the tty after executing it.

Something like:

assume-role stage --mfa-code=123456

what

• Support AWS_DATA_PATH for the default path to the AWS configs (with perhaps the current fallback of HOME)
• Support AWS_CONFIG_FILE for the path to the standard config file
• Support AWS_SHARED_CREDENTIALS_FILE for the path to the credentials file

why

• Interoperability with other tools
• Embrace current conventions

references

• https://docs.aws.amazon.com/cli/latest/topic/config-vars.html
• https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html

I have a long running stack deployment (CloudFront), using this with Serverless, MFA, and just had the whole thing quit with "The security token included in the request is expired".

What to do?

The last release for this project was over 2 years ago. Yet, there is active development on it. Could somebody create a release to pick up the changes?

Specifically, I would to use the --format bash option.

It just returns nothing. No logs, no debuggability. Thanks.

I'm using the credential_process config in .aws/credentials. For ex:

[my-1p-profile]
credential_process = sh -c "op get item 'AWS -...

This allows me to pull my access key and secret key pair from a password manager. But if I use this profile as the source_profile for assuming a role using assume-role, I get the following error:

panic: SharedConfigAssumeRoleError: failed to load assume role for arn:aws:iam::REDACTED:role/REDACTED, source profile has no shared credentials

It could be a great addition to support this type of configuration.

I have installed using go get -u github.com/remind101/assume-role

I can run it if I am in $GOBIN and run ./assume-role but just running assume-role on my shell does not work.

I am using zsh and below is my go env

GOARCH="amd64"
GOBIN="/home/user/go/bin"
GOCACHE="/home/user/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/user/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build666753700=/tmp/go-build -gno-record-gcc-switches"

I get the same issue on bash too so I do not think this is a shell issue but I could be wrong.

what

• Add a LICENSE file to the repo

why

• It's not clear what license this software is released under

AWS's assume role capability sometimes requires an "external ID" be specified (documentation.) Currently the assume-role tool doesn't have a way for a user to specify that external ID, meaning that it cannot be used to assume any roles that are configured to check for it.

Adding this is just a matter of setting the ExternalId parameter here. I'd be happy to send a PR to wire in the feature, is this repo still active and accepting PRs?

Should the latest release 0.3.2 install with brew?

$ brew upgrade remind101/formulae/assume-role
Error: remind101/formulae/assume-role 0.3.1 already installed

It would be nice if I could use assume-role to execute a binary with temporary credentials from GetSessionToken, like it can with AssumeRole. Unfortunately, this needs to happen upstream in the AWS SDK's first.

A use case would be to use assume-role to call GetSessionToken with the MFA token code first, then let another downstream binary assume roles with those creds, since it wouldn't need to know anything about MFA.

Observing that the output of aws sts assume-role includes the Expiration, I'd like to capture that data rather than discard it.
$ aws sts assume-role --role-arn "$role_arn" --serial-number "$mfa_serial" --token-code "$(totp_generator -s aws)" --role-session-name "$(id -un)"
{
"Credentials": {
"AccessKeyId": "AAAAAAAAAAAAAAAAAAAA",
"SecretAccessKey": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"SessionToken": "AAAAAAAAAAAAAAA//////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"Expiration": "2019-01-12T21:23:08Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "AAAAAAAAAAAAAAAAAAAAA:bruno",
"Arn": "arn:aws:sts::000000000000:assumed-role/allow-read-access-from-other-accounts/bruno"
}
}

I think a good name for this variable is AWS_SESSION_EXPIRATION to follow the pattern of most of the other variables. (That said, I also think ASSUMED_ROLE should be AWS_ASSUMED_ROLE, but that's a non backwards compatible change, and easy enough to fix with a wrapper.)