Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

README.rst

AWS Role Credentials

https://snap-ci.com/ThoughtWorksInc/aws_role_credentials/branch/master/build_image

Generates AWS credentials for roles using STS and writes them to `~/.aws/credentials`

Usage

Simply pipe a SAML assertion into awssaml

# create credentials from saml assertion
$ oktaauth -u jobloggs | aws_role_credentials saml --profile dev

Or for assuming a known role name:

# create credentials from saml assertion using a known role ARN
$ oktaauth -u jobloggs | aws_role_credentials saml --profile dev --role-arn arn:aws:iam::098765432109:role/ReadOnly

Or for assuming a role using an IAM user:

# create credentials from an iam user
$ aws_role_credentials user \
  arn:aws:iam::111111:role/dev jobloggs-session \
  --profile dev

For roles that require MFA:

# create credentials from an iam user with mfa
$ aws_role_credentials user \
  arn:aws:iam::111111:role/dev jobloggs-session \
  --profile dev \
  --mfa-serial-number arn:aws:iam::111111:mfa/Jo \
  --mfa-token 102345

Transient mode

`aws_role_credentials` also supports 'transient' mode where the credentials are passed to a command as environment variables within the process. This adds an extra layer of safety and convinience.

To use transient mode simply pass a command to the `--exec` option like so:

# run 'aws s3 ls' with the generated role credentials from an iam user
$ aws_role_credentials user \
  arn:aws:iam::111111:role/dev jobloggs-session \
  --exec 'aws s3 ls'

Options

--profile Use a specific profile in your credential file (e.g. Development). Defaults to sts.
--region The region to use. Overrides config/env settings. Defaults to us-east-1.
--role-arn Optional role ARN to use when multiple roles are available.
--exec The command to execute with the AWS credentials

Thanks

Thanks to Quint Van Deman of AWS for demonstrating how to do this. https://blogs.aws.amazon.com/security/post/Tx1LDN0UBGJJ26Q/How-to-Implement-Federated-API-and-CLI-Access-Using-SAML-2-0-and-AD-FS

Authors

  • Peter Gillard-Moss

About

Generates AWS credentials for roles using STS

Resources

License

Releases

No releases published

Contributors 4

  •  
  •  
  •  
  •  
You can’t perform that action at this time.