CLI for privileged actions on AWS member accounts
Project description
AWS Privileged Actions CLI (aws-priv-actions)
A command-line interface for performing privileged actions on AWS member accounts in an organization, when Centralized Root Management is enabled.
⚠️ Disclaimer
This software allows you to assume AWS IAM
rootprivileges, which can have significant security and operational impacts if misused. Use with caution. The authors and contributors provide this software "as is", without warranty of any kind, express or implied. You are solely responsible for any actions taken using this tool.
Why?
As of the time of writing, there is no AWS API to fetch the list of available task policies. This is a workaround to allow you to perform privileged actions on AWS member accounts in an organization.
This was built as a simple tool to allow Operators to use the assume-root feature of AWS Centralized Root Management in critical situations requring root access, without having to pour over AWS CLI documentation.
Installation
pip install aws-priv-actions
Prerequisites
- Python 3.8 or higher
- AWS CLI configured with appropriate credentials
- Required IAM permissions to perform privileged actions
Usage
List Available Task Policies
aws-priv-actions list-policies
Assume Root Privileges
aws-priv-actions assume-root <target-principal> <task-policy> [--duration-seconds SECONDS] [--region REGION] [--verbose]
- The
--regionflag is required for theassume-rootcommand, as the AWS global STS endpoint is not supported for this operation. If not provided, you will be prompted interactively (default:us-east-1). - The CLI always uses the correct regional STS endpoint (e.g.,
sts.us-east-1.amazonaws.com).
Example (with region flag):
aws-priv-actions assume-root arn:aws:iam::123456789012:root IAMAuditRootUserCredentials --region us-east-1 --verbose
Example (interactive region prompt):
aws-priv-actions assume-root arn:aws:iam::123456789012:root IAMAuditRootUserCredentials
Enter the AWS region to use for STS (must be a regional endpoint) [us-east-1]:
Available Task Policies
IAMAuditRootUserCredentials: Audit root user credentialsIAMCreateRootUserPassword: Create root user passwordIAMDeleteRootUserCredentials: Delete root user credentialsS3UnlockBucketPolicy: Unlock S3 bucket policySQSUnlockQueuePolicy: Unlock SQS queue policy
Development
-
Clone the repository
-
Install UV (if not already installed):
curl -LsSf https://astral.sh/uv/install.sh | sh
-
Install development dependencies:
uv pip install -e .
-
Run tests:
pytest
License
MIT License
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aws_priv_actions-1.0.0.tar.gz.
File metadata
- Download URL: aws_priv_actions-1.0.0.tar.gz
- Upload date:
- Size: 11.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5d6f5a5ee0bbc0bd204c398e72e2d9ba5454171719843769ee554ce1b4040a55
|
|
| MD5 |
ae4692fa04e04bcf88d16be30b9f05d2
|
|
| BLAKE2b-256 |
bcb0df34c3c7a8afcb6d1d3d6dec768e0e9933641e2260adba3f79fad0e887ff
|
Provenance
The following attestation bundles were made for aws_priv_actions-1.0.0.tar.gz:
Publisher:
release.yml on clarkemn/aws-priv-actions
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
aws_priv_actions-1.0.0.tar.gz -
Subject digest:
5d6f5a5ee0bbc0bd204c398e72e2d9ba5454171719843769ee554ce1b4040a55 - Sigstore transparency entry: 251125852
- Sigstore integration time:
-
Permalink:
clarkemn/aws-priv-actions@5d269202c4b6401563b09839eeea5c529bb7c83c -
Branch / Tag:
refs/tags/v1.0.0 - Owner: https://github.com/clarkemn
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@5d269202c4b6401563b09839eeea5c529bb7c83c -
Trigger Event:
push
-
Statement type:
File details
Details for the file aws_priv_actions-1.0.0-py3-none-any.whl.
File metadata
- Download URL: aws_priv_actions-1.0.0-py3-none-any.whl
- Upload date:
- Size: 5.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
012bce7ac53850a3582b737138c2bdf184b2896c1fba40713df7255b5ac84f86
|
|
| MD5 |
bd0849f534e5013d67ef84a7f42f5b60
|
|
| BLAKE2b-256 |
bc7b9c9cb1c9a9eadc2d3fa42533a1198ac2be1c74f9fcb54bc9d1387348cd19
|
Provenance
The following attestation bundles were made for aws_priv_actions-1.0.0-py3-none-any.whl:
Publisher:
release.yml on clarkemn/aws-priv-actions
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
aws_priv_actions-1.0.0-py3-none-any.whl -
Subject digest:
012bce7ac53850a3582b737138c2bdf184b2896c1fba40713df7255b5ac84f86 - Sigstore transparency entry: 251125859
- Sigstore integration time:
-
Permalink:
clarkemn/aws-priv-actions@5d269202c4b6401563b09839eeea5c529bb7c83c -
Branch / Tag:
refs/tags/v1.0.0 - Owner: https://github.com/clarkemn
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@5d269202c4b6401563b09839eeea5c529bb7c83c -
Trigger Event:
push
-
Statement type:
