Multi-account/Multi-Role AWS cli configuration (with MFA support)
Project description
This tool helps to configure the .aws/config and .aws/credentials for multi-account and multi-role AWS environments
in which identities (IAM users) are deployed in a centralized account. IAM Roles are used to log into the accounts
of an AWS organization.
How to install aws-cli-config
The tool can be installed issuing the following command:
pip install aws-cli-config
If the installation is successful, an configuration file is created in the user home folder. On unix-like systems, this
file can be found under /Users/<my-username>/.aws-cli-config
How to configure aws-cli-config
As mentioned in the previous paragraph, file named .aws-cli-config is automatically created in the user home folder.
This file can be personalized to contain an unlimited number of AWS organizations, AWS accounts, and IAM roles. Herewith
is presented a short example with 2 AWS organizations:
- Organization-1 has 2 accounts (Account A and Account B) with 3 IAM roles each
- Organization-2 has 1 account (Account A) with 3 IAM roles
profiles:
# Organizations / Groups
org1:
# The following profiles must be already present in the .aws/config file
profile_default: org1-default
profile_mfa: org1-mfa-enabled-profile
# List of accounts in the organization 1
accounts:
# ---------------------------------------------------------
# The following are roles deployed in the Account A (org 1)
# ---------------------------------------------------------
- profile_prefix: org1-account-A
account_source: org1-mfa-enabled-profile
account_id: 000000000000
account_roles:
role_1: org1-aws-iam-role-1
role_2: org1-aws-iam-role-2
role_n: org1-aws-iam-role-n
# -------------------------------------------------
# The following are roles deployed in the Account B (org 1)
# -------------------------------------------------
- profile_prefix: org1-account-B
account_source: org1-mfa-enabled-profile
account_id: 000000000000
account_roles:
role_1: org1-aws-iam-role-1
role_2: org1-aws-iam-role-2
role_n: org1-aws-iam-role-n
org2:
# The following profiles must be already present in the .aws/config file
profile_default: org2-default
profile_mfa: org2-mfa-enabled-profile
# List of accounts in the organization 2
accounts:
# ---------------------------------------------
- profile_prefix: org2-account-A
account_source: org2-mfa-enabled-profile
account_id: 000000000000
account_roles:
role_1: org2-aws-iam-role-1
role_2: org2-aws-iam-role-2
role_n: org2-aws-iam-role-n
Given the above configuration file, the .aws/credentials file must contain the following entries:
[org1-default]
aws_access_key_id = <REDACTED>
aws_secret_access_key = <REDACTED>
region = eu-west-1
output = json
[org1-mfa-enabled-profile]
aws_arn_mfa = <REDACTED>
[org2-default]
aws_access_key_id = <REDACTED>
aws_secret_access_key = <REDACTED>
region = eu-west-1
output = json
[org2-mfa-enabled-profile]
aws_arn_mfa = <REDACTED>
The REDACTED values must be retrieved from the AWS account into which the IAM Users are provisioned, and from where the STS Assume Role operation is executed.
How to use aws-cli-config
Assume the configured roles using MFA
aws-cli-config <org> <mfa-token>
Listing all the available roles (and their alias)
aws-cli-config -l <org>
org1-account-A (000000000000)
[1] org1-account-A_role_1 (org1-aws-iam-role-1)
[2] org1-account-A_role_2 (org1-aws-iam-role-2)
[3] org1-account-A_role_n (org1-aws-iam-role-n)
org1-account-B (000000000000)
[1] org1-account-B_role_1 (org1-aws-iam-role-1)
[2] org1-account-B_role_2 (org1-aws-iam-role-2)
[3] org1-account-B_role_n (org1-aws-iam-role-n)
org2-account-A (000000000000)
[1] org2-account-A_role_1 (org2-aws-iam-role-1)
[2] org2-account-A_role_2 (org2-aws-iam-role-2)
[3] org2-account-A_role_n (org2-aws-iam-role-n)
Exporting a profile to the environment
Once Assume Role with MFA operation is completed the .aws/credentials and .aws/config files are updated with the
newly generated temporary credentials. You can test if the credentials are correctly loaded with the following command:
export AWS_PROFILE=org1-account-A_role_1
aws s3 ls
A list of S3 buckets in the Account A (Org1) will be listed (assuming that role_1 has sufficient privileges).
Supported arguments
usage: aws-cli-config [-h] [-l] [--aws-cli-config-filepath AWS_CLI_CONFIG_FILEPATH] [--max-role-duration MAX_ROLE_DURATION] [-v] [profile] [mfa]
positional arguments:
profile the name of the AWS parent profile / name of the AWS Organization group
mfa the MFA code generated with an external hardware/virtual device
optional arguments:
-h, --help show this help message and exit
-l, --list list accounts and roles for an organization/profile
--aws-cli-config-filepath AWS_CLI_CONFIG_FILEPATH
filepath of the YML config file containing the multi-account/multi-role structure
--max-role-duration MAX_ROLE_DURATION
the duration (in seconds) of the AWS IAM role session
-v, --verbose verbose mode
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for aws_cli_config-1.3.2-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 5de11a39a21ced446bc5a12f92f2ecd754f19b89ad444e57f30cb266dca0edf3 |
|
| MD5 | b8771aff9743c12f16335ae4cb8ff81b |
|
| BLAKE2b-256 | 263430183ba39b225d7895d35e36e54548594d8f2a4e78b7ac55b171bcfd94fc |
