Skip to content

AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOTP MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

License

Notifications You must be signed in to change notification settings

aripalo/vegas-credentials

Repository files navigation

🚧 Work-in-Progress 🚀 ⁉️ Publish Plan
Since version v0.13.x this tool is considered "mostly stable": Breaking changes may occur if really needed but not arbitrarily. I'm hoping to release v1.0.0 during H2/2022. No commitments though!

Vegas Credentials

Much like spending a week in Las Vegas at AWS re:Invent, using multiple AWS tools (SDKs, CLI, CDK, Terraform, etc) via command-line to assume IAM roles in different accounts with Multi-Factor Authentication can be an exhausting experience: vegas-credentials aims to simplify the credential process! And just like you shouldn't stay too long in Las Vegas at once, this tool only deals with temporary sesssion credentials.

Vegas Credentials is an utility with smooth user experience that plugs into AWS credential_process to assume IAM Roles with TOTP MFA (with optional Yubikey Touch support) to fetch, cache and refresh assumed temporary session credentials.


build Coverage Maintainability Rating Security Rating Vulnerabilities



Docs

For guides, examples and full documentation, go to https://credentials.vegas.


Install

Via Homebrew on MacOS, GNU/Linux and Windows Subsystem for Linux (WSL):

brew install aripalo/tap/vegas-credentials

Via Scoop on Windows:

scoop bucket add aripalo https://github.com/aripalo/scoops.git && scoop install vegas-credentials

Configure

  1. Configure your source profile and its credentials, most often it's the default one which you configure into ~/.aws/credentials:

    # ~/.aws/credentials
    [default]
    aws_access_key_id = AKIAIOSFODNN7EXAMPLE
    aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
  2. Configure your source profile in config:

    # ~/.aws/config
    [default]
    mfa_serial = arn:aws:iam::111111111111:mfa/FrankSinatra

    Note: if your source profile is not default, remember to add profile as prefix (profile foo)

  3. Configure your target profile with credential_process into ~/.aws/config:

    # ~/.aws/config
    [profile frank@concerts]
    credential_process = vegas-credentials assume --profile=frank@concerts
    vegas_role_arn=arn:aws:iam::222222222222:role/SingerRole
    vegas_source_profile=default
    
    # You may also provide any other additional standard AWS configuration, such as:
    region = us-west-1
    duration_seconds = 4383
    role_session_name = SinatraAtTheSands
    external_id = 0093624694724

    Note: role_arn & source_profile must be prefixed with vegas_ to prevent AWS tooling to ignore credential_process setting and to prevent Terraform failing.

  4. Use any AWS tooling that support ini-based configuration with credential_process, like AWS CLI v2:

    aws sts get-caller-identity --profile frank@concerts

About

AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOTP MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

Topics

Resources

License

Stars

Watchers

Forks

Contributors 4

  •  
  •  
  •  
  •