bastion extends the default behavior of using an IAM role in the awscli by caching STS credentials for up to 12 hours. Then we can securely use IAM roles with the awscli through the bastion account without needing to re-enter the mfa code.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for aidan-melen from gravatar.com aidan-melen

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: Apache Software License (Apache)

Author: Aidan Melen

Classifiers

Project description

bastion

Description

bastion extends the default behavior of using an IAM role in the awscli by caching STS credentials for up to 12 hours. Then we can securely use IAM roles with the awscli through the bastion account without needing to re-enter the mfa code.

Install

$ git clone https://github.com/aidanmelen/awscli_bastion --branch dev0.1.0
$ pip install awscli_bastion/

Configure

~/.aws/cli/alias:

[toplevel]

bastion =
    !f() {
        bastion
    }; f

~/.aws/credentials:

# (required) aws bastion profiles

[bastion] # these are fake credentials
aws_access_key_id = ASIA554SXDVIHKO5ACW2
aws_secret_access_key = VLJQKLEqs37HCDG4HgSDrxl1vLNrk9Is8gm0VNfA

[bastion-sts]
mfa_serial = arn:aws:iam::123456789012:mfa/aidan-melen
credential_process = aws bastion
source_profile = bastion


# (optional) aws assume role profiles

[dev]
role_arn = arn:aws:iam::234567890123:role/admin
source_profile = bastion-sts

[stage]
role_arn = arn:aws:iam::345678901234:role/poweruser
source_profile = bastion-sts

[prod]
role_arn = arn:aws:iam::456789012345:role/spectator
source_profile = bastion-sts

~/.aws/config:

[default]
region = us-west-2
output = json

Usage

Run awscli commands normally and the credential_process will handle the bastion mfa:

$ aws sts get-caller-identity --profile dev
{
    "UserId": "AROAICXOEQ536RVKSK7LW:botocore-session-1234567890",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::234567890123:assumed-role/admin/botocore-session-1234567890"
}

$ aws sts get-caller-identity --profile stage
{
    "UserId": "ASIA554SWZVIOJNP7FPTS:botocore-session-2345678901",
    "Account": "345678901234",
    "Arn": "arn:aws:sts::345678901234:assumed-role/poweruser/botocore-session-2345678901"
}

$ aws sts get-caller-identity --profile prod
{
    "UserId": "ASIA554BTZVILOXNQR5CD:botocore-session-3456789012",
    "Account": "456789012345",
    "Arn": "arn:aws:sts::456789012345:assumed-role/spectator/botocore-session-3456789012"
}

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for aidan-melen from gravatar.com aidan-melen

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: Apache Software License (Apache)

Author: Aidan Melen

Classifiers

Release history Release notifications | RSS feed

0.9.6

0.9.5

0.9.4

0.9.3

0.9.1

0.9.0

0.8.4

0.8.3

0.8.2

0.8.1

0.8.0

0.7.3

0.7.1

0.7.0

0.6.0

0.5.0

0.4.0

0.3.0

0.2.0

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

awscli_bastion-0.1.0.macosx-10.14-x86_64.tar.gz (5.9 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page