bastion extends the default behavior of using an IAM role in the awscli by caching STS credentials for up to 12 hours. Then we can securely use IAM roles with the awscli through the bastion account without needing to re-enter the mfa code.
Project description
bastion
Description
bastion extends the default behavior of using an IAM role in the awscli by caching STS credentials for up to 12 hours. Then we can securely use IAM roles with the awscli through the bastion account without needing to re-enter the mfa code.
Install
$ git clone https://github.com/aidanmelen/awscli_bastion --branch dev0.1.0 $ pip install awscli_bastion/
Configure
~/.aws/cli/alias:
[toplevel]
bastion =
!f() {
bastion
}; f
~/.aws/credentials:
# (required) aws bastion profiles [bastion] # these are fake credentials aws_access_key_id = ASIA554SXDVIHKO5ACW2 aws_secret_access_key = VLJQKLEqs37HCDG4HgSDrxl1vLNrk9Is8gm0VNfA [bastion-sts] mfa_serial = arn:aws:iam::123456789012:mfa/aidan-melen credential_process = aws bastion source_profile = bastion # (optional) aws assume role profiles [dev] role_arn = arn:aws:iam::234567890123:role/admin source_profile = bastion-sts [stage] role_arn = arn:aws:iam::345678901234:role/poweruser source_profile = bastion-sts [prod] role_arn = arn:aws:iam::456789012345:role/spectator source_profile = bastion-sts
~/.aws/config:
[default] region = us-west-2 output = json
Usage
Run awscli commands normally and the credential_process will handle the bastion mfa:
$ aws sts get-caller-identity --profile dev
{
"UserId": "AROAICXOEQ536RVKSK7LW:botocore-session-1234567890",
"Account": "123456789012",
"Arn": "arn:aws:sts::234567890123:assumed-role/admin/botocore-session-1234567890"
}
$ aws sts get-caller-identity --profile stage
{
"UserId": "ASIA554SWZVIOJNP7FPTS:botocore-session-2345678901",
"Account": "345678901234",
"Arn": "arn:aws:sts::345678901234:assumed-role/poweruser/botocore-session-2345678901"
}
$ aws sts get-caller-identity --profile prod
{
"UserId": "ASIA554BTZVILOXNQR5CD:botocore-session-3456789012",
"Account": "456789012345",
"Arn": "arn:aws:sts::456789012345:assumed-role/spectator/botocore-session-3456789012"
}
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Close
Hashes for awscli_bastion-0.1.0.macosx-10.14-x86_64.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 4b3c43c0529ab2020a6f611cac57ebc2f73e524a43f3a6cd6c7fe6814a408d22 |
|
| MD5 | ad29fd387cc1f8406dc9f0759bfb7237 |
|
| BLAKE2b-256 | b4a8b4b654b6c857d9a698db91b73c91309285b8a44a210e56983f91979b1ed4 |
