A simple command-line tool to manage temporary STS credentials, written using the AWS SDK for Go. When run without options it will use GetCallerIdentity to display the current user identity. It can also get temporary credentials and inject them into a new shell process as CLI environment variables.
To see a full list of command-line options, use the -h or --help flag.
First, install Go. Then you can download and build with this one command:
go install github.com/simonbrady/aws-identity@latest
This will also download all required dependencies, and create the binary in your $GOBIN
directory ($HOME/go/bin if you haven't explicitly set it).
Get the account for the current user identity (which could be set through a named profile) then use AssumeRole to assume a named role in that account. Takes an optional MFA token code if the trust condition for assuming the role requires MFA.
aws-identity -r <role-name> [-t <token-code>]
e.g.
$ aws-identity -r admin -t 123456
Spawning /bin/bash for role arn:aws:iam::111122223333:role/admin
As above but takes the target account number to assume the role in.
aws-identity -a <account> -r <role-name> [-t <token-code>]
e.g.
$ aws-identity -a 444455556666 -r admin -t 234567
Spawning /bin/bash for role arn:aws:iam::444455556666:role/admin
Rather than assuming a new role identity, use GetSessionToken to generate temporary credentials for the current identity but with MFA.
aws-identity -t <token-code>
e.g.
$ aws-identity -t 345678
Spawning /bin/bash for user arn:aws:iam::111122223333:user/jrh
This is useful for tools like the Terraform AWS provider that can assume roles but don't prompt for an MFA token.