🚧 Work-in-Progress | 🚀 |
---|---|
Since version v0.13.x this tool is considered "mostly stable": Breaking changes may occur if really needed but not arbitrarily. |
I'm hoping to release v1.0.0 during H2/2022. No commitments though! |
Much like spending a week in Las Vegas at AWS re:Invent, using multiple AWS tools (SDKs, CLI, CDK, Terraform, etc) via command-line to assume IAM roles in different accounts with Multi-Factor Authentication can be an exhausting experience:
vegas-credentials
aims to simplify the credential process! And just like you shouldn't stay too long in Las Vegas at once, this tool only deals with temporary sesssion credentials.
Vegas Credentials is an utility with smooth user experience that plugs into AWS credential_process
to assume IAM Roles with TOTP MFA (with optional Yubikey Touch support) to fetch, cache and refresh assumed temporary session credentials.
For guides, examples and full documentation, go to https://credentials.vegas.
Via Homebrew on MacOS, GNU/Linux and Windows Subsystem for Linux (WSL):
brew install aripalo/tap/vegas-credentials
Via Scoop on Windows:
scoop bucket add aripalo https://github.com/aripalo/scoops.git && scoop install vegas-credentials
-
Configure your source profile and its credentials, most often it's the
default
one which you configure into~/.aws/credentials
:# ~/.aws/credentials [default] aws_access_key_id = AKIAIOSFODNN7EXAMPLE aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
-
Configure your source profile in config:
# ~/.aws/config [default] mfa_serial = arn:aws:iam::111111111111:mfa/FrankSinatra
Note: if your source profile is not
default
, remember to addprofile
as prefix (profile foo
) -
Configure your target profile with
credential_process
into~/.aws/config
:# ~/.aws/config [profile frank@concerts] credential_process = vegas-credentials assume --profile=frank@concerts vegas_role_arn=arn:aws:iam::222222222222:role/SingerRole vegas_source_profile=default # You may also provide any other additional standard AWS configuration, such as: region = us-west-1 duration_seconds = 4383 role_session_name = SinatraAtTheSands external_id = 0093624694724
Note:
role_arn
&source_profile
must be prefixed withvegas_
to prevent AWS tooling to ignorecredential_process
setting and to prevent Terraform failing. -
Use any AWS tooling that support ini-based configuration with
credential_process
, like AWS CLI v2:aws sts get-caller-identity --profile frank@concerts