Skip to content
bash functions to help run aws-cli commands across roles in multiple accounts with MFA
Shell
Branch: master
Clone or download
Latest commit 331dd7d Dec 30, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Initial commit Dec 30, 2019
README.md grammar Dec 30, 2019
functions.sh

README.md

aws-cli-multi-account-sessions

bash functions to help run aws-cli commands across roles in multiple accounts with MFA

Blog Post

For more background information and explanation for how to use this, please read this blog post:

https://alestic.com/2019/12/aws-cli-across-organization-accounts/

You didn't read that, did you?

Ok, here are the quick notes I use to set this up and use it in my accounts.

Setup

Clone this repo wherever you like:

mkdir -p $HOME/src && (
  cd     $HOME/src &&
  git clone git@github.com:alestic/aws-cli-multi-account-sessions.git
)

Add something like this to $HOME/.bashrc using the values for source_profile and mfa_serial from your aws-cli config file.

# https://github.com/alestic/aws-cli-multi-account-sessions
test -x $HOME/src/aws-cli-multi-account-sessions/functions.sh &&
 source $HOME/src/aws-cli-multi-account-sessions/functions.sh
export AWS_SESSION_SOURCE_PROFILE=default
export AWS_SESSION_MFA_SERIAL=arn:aws:iam::YOUR_ACCOUNT:mfa/YOUR_USER

Then load it up in your current shell:

source $HOME/.bashrc

Usage

Specify the role you can assume in all accounts:

role="admin" # Yours might be called "OrganizationAccountAccessRole"

Get a list of all accounts in the AWS Organization:

accounts=$(aws organizations list-accounts \
  --output text \
  --query 'Accounts[].[JoinedTimestamp,Status,Id,Email,Name]' |
  grep ACTIVE |
  sort |
  cut -f3) # just the ids
echo "$accounts"

Run once to create temporary session credentials with MFA:

aws-session-init

Iterate through AWS accounts using aws-session-set to specify the account/role you want to to use for running commands. Run AWS CLI commands in that account/role by prefixing the command with aws-session-run

for account in $accounts; do
  aws-session-set $account $role || continue

  this_account=$(aws-session-run \
                   aws sts get-caller-identity \
                     --output text \
                     --query 'Account')
  echo "Account: $account ($this_account)"

  aws-session-run aws s3 ls
done

Clear out bash variables holding temporary credentials:

aws-session-cleanup

Of course, this might not work for you if you don't have things set up quite the same way as I do. Perhaps you should go back and read the blog post above?

Author

Eric Hammond https://twitter.com/esh

Credit

All the good in this is based on example code from Jennine Townsend. All the bad is mine.

You can’t perform that action at this time.