AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

🚧 🚧 🚧 Work-in-Progress 🚀 ⁉️ Publish Plan
Things may break without any prior notice at any given v0.x.x version: So do not use this for anything critical, but feel free to test this out and give feedback! After some testing, depending on the amount of bugs/issues/feedback, I'm hoping to release v1.0.0 during November 2021. No commitments though!

Vegas Credentials

Much like spending a week in Las Vegas at AWS re:Invent, using multiple AWS tools (SDKs, CLI, CDK, Terraform, etc) via command-line to assume IAM roles in different accounts with Multi-Factor Authentication can be an exhausting experience: vegas-credentials aims to simplify the credential process! And just like you shouldn't stay too long in Las Vegas at once, this tool only deals with temporary sesssion credentials.

Vegas Credentials is an utility with smooth user experience that plugs into AWS credential_process to assume IAM Roles with TOPT MFA (with optional Yubikey Touch support) to fetch, cache and refresh assumed temporary session credentials.


build Coverage Maintainability Rating Security Rating Vulnerabilities

Features Overview Get Started Yubikeys Configuration Examples Why? Design

Features

  • Plugs into AWS credential_process: If you're unfamiliar with AWS credential_process, this AWS re:Invent video explains it very well

  • Supports automatic temporary session credential refreshing for tools that understand session credential expiration

  • Supports Role Chaining

  • Works out-of-the-box with most tools such as AWS CLI, most AWS SDKs, AWS CDK, Terraform...

  • Encrypted Caching of session credentials to speed things up & to avoid having to input MFA token code for each operation

  • Supports both Yubikey Touch or Authenticator App TOPT MFA simultaneously:

    • For example you can default to using Yubikey, but if don't have the Yubikey with you all the time and also have MFA codes in an Authenticator App (such as Authy for example)
    • You may just touch the Yubikey or manually type the token code (via GUI Prompt Dialog or CLI stdin) – which ever input is given first will be used

  • Smooth Yubikey integration:

    • Just tap your physical key: No need to manually type or copy-paste MFA token code
    • Supports multiple Yubikey devices

  • Fast & Cross-Platform: Built with Go and supports macOS, Linux and Windows operating systems with x86_64 & arm64 (e.g. Apple M1) architectures


By design, this tool does not support:



Overview

diagram


Get Started

  1. Install vegas-credentials via one of the following:

    Homebrew (MacOS/Linux)
    • Requires brew-command
    • Install: 
      brew tap aripalo/tap
brew install vegas-credentials

# Verify installation
vegas-credentials --version

    Scoop (Windows)
    • Requires scoop-command
    • Install: 
      scoop bucket add aripalo https://github.com/aripalo/scoops.git
scoop install aripalo/vegas-credentials

# Verify installation
vegas-credentials --version

    NPM (MacOS/Linux/Windows)

    DOES NOT CURRENTLY WORK!

    • Requires node-command (v14+)
    • Install: 
      npm install -g vegas-credentials

# Verify installation
vegas-credentials --version


  2. Configure your source profile and its credentials, most often it's the default one which you configure into ~/.aws/credentials:

    # ~/.aws/credentials
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

  3. Configure your source profile in config:

    # ~/.aws/config
[default]
mfa_serial = arn:aws:iam::111111111111:mfa/FrankSinatra

    Note: if your source profile is not default, remember to add profile as prefix (profile foo)

  4. Configure your target profile with credential_process into ~/.aws/config:

    # ~/.aws/config
[profile frank@concerts]
credential_process = vegas-credentials assume --profile=frank@concerts
vegas_role_arn=arn:aws:iam::222222222222:role/SingerRole
vegas_source_profile=default

# You may also provide any other additional standard AWS configuration, such as:
region = us-west-1
duration_seconds = 4383
role_session_name = SinatraAtTheSands
external_id = 0093624694724

    Note: role_arn & source_profile must be prefixed with vegas_ to prevent AWS tooling to ignore credential_process setting and to prevent Terraform failing.

  5. Use any AWS tooling that support ini-based configuration with credential_process, like AWS CLI v2:

    aws sts get-caller-identity --profile frank@concerts

Yubikeys

To use Yubikeys:

  1. You must have at least one Yubikey Touch device with OATH TOPT support (Yubikey 5 or 5C recommended).

  2. Install ykman CLI

  3. Set up Yubikey as Virtual MFA device in AWS IAM - Not U2F MFA!

  4. Think of backup strategy in case you lose your Yubikey device, you should do at least one of the following:

    • During Virtual MFA device setup also assign Authenticator App such as Authy for backup
    • If you own multiple Yubikey devices, during Virtual MFA device setup also configure the second Yubikey and once done, store it securely
    • Print the QR-code (and store & lock it very securely)
    • Save the QR-code or secret key in some secure & encrypted location

  5. When configuring your Yubikey, use arn:aws:iam:: :mfa/ (i.e. MFA device ARN) as the Yubikey OATH account label:

    ykman oath accounts add -t arn:aws:iam::<ACCOUNT_ID>:mfa/<IAM_USERNAME>

  6. Configure vegas_yubikey_serial into ~/.aws/config:

    # ~/.aws/config
[default]
mfa_serial = arn:aws:iam::111111111111:mfa/FrankSinatra
vegas_yubikey_serial = 12345678

    Optionally you may configure vegas_yubikey_label if you used something else than arn:aws:iam:: :mfa/ as the OATH account label (though not recommended).


Configuration

Configuration for the most part happens in ~/.aws/config ini-file, but there are some command-line flags and environment variables that you may want to use sometimes.

Source Profile Configuration

Option Description
mfa_serial Required: The ARN of the Virtual (OATH TOPT) MFA device used in Multi-Factor Authentication.
vegas_yubikey_serial Required if using Yubikey: Yubikey Device Serial to use. You can see the serial(s) with ykman list command. This enforces the use of a specific Yubikey and also enables the support for using multiple Yubikeys (for different profiles)!
vegas_yubikey_label Use only if you have any other value than the AWS MFA Device ARN as oath account label! Yubikey oath Account Label to use. You can see the available accounts with ykman oath accounts list command. Set the account label which you have configured your AWS TOPT MFA!

Example:

# ~/.aws/config
[default]
mfa_serial = arn:aws:iam::111111111111:mfa/FrankSinatra
vegas_yubikey_serial = 12345678

Target Profile Configuration

Option Description
credential_process Required: To enable this tool, set the value as vegas-credentials assume --profile . Value of my-profile must match the profile name in ini-section title, e.g. [profile my-profile].
vegas_role_arn Required: The target IAM Role ARN to be assumed.
vegas_source_profile Required: Which credentials (profile) are to be used as a source for assuming the target role.

Example:

# ~/.aws/config
[profile frank@concerts]
credential_process = vegas-credentials assume --profile=frank@concerts
vegas_role_arn=arn:aws:iam::222222222222:role/SingerRole
vegas_source_profile=default

# You may also provide any other additional standard AWS configuration, such as:
region = us-west-1
duration_seconds = 4383
role_session_name = SinatraAtTheSands
external_id = 0093624694724

Command-line Flags

Flag Description
--help Prints help text
--profile Required: Which AWS Profile to use from ~/.aws/config: Value (for example my-profile) must match the profile name in ini-section title, e.g. [profile my-profile]
--disable-dialog Disable GUI Dialog Prompt
--disable-mandatory-refresh Disable Session Credentials refreshing if expiration within 10 minutes (as defined in Botocore)
--hide-arns Hide IAM Role & MFA Serial ARNS from output (even on verbose mode)
--verbose Verbose output
--debug Prints out various debugging information
--no-color Disable colorful fancy output

Example:

vegas-credentials assume --profile=frank@concerts --verbose --no-color

... though you shouldn't really call this tool directly yourself, but instead configure it as credential_process in ~/.aws/config.

Environment Variables

Option Description
NO_COLOR Disable colorful fancy output, see also --no-color CLI flag
VEGAS_CREDENTIALS_NO_COLOR Disable color only for this tool (not for your whole environment )
TERM=dumb Another way to disable colorful fancy output

Examples

Using with AWS SDKs

Often times you may not want to define the profile within the application code, since the application code most often will be ran without profile in cloud. You may circumvent this by setting the profile via AWS_PROFILE environment variable. Most AWS SDKs should support this. Example with running a NodeJS based script (that does something with AWS SDK):

AWS_PROFILE=frank@concerts ts-node src/index.ts

By default, the SDK checks the AWS_PROFILE environment variable to determine which profile to use. If the AWS_PROFILE variable is not set in your environment, the SDK uses the credentials for the [default] profile. To use one of the alternate profiles, set or change the value of the AWS_PROFILE environment variable. For example, given the configuration file shown, to use the credentials from the work account, set the AWS_PROFILE environment variable to work-account (as appropriate for your operating system).

AWS SDK v3 docs

Role Chaining

This tool also supports role chaining - given that the specific AWS tool your using supports it - which means assuming an initial role and then using it to assume another role. An example with 3 different AWS accounts would look like:

role-chaining


Assuming correct IAM roles exists with valid permissions and trust policies:

  1. Assuming you have the following configuration already:

    # ~/.aws/credentials
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    # ~/.aws/config
[default]
aws_mfa_device = arn:aws:iam::111111111111:mfa/FrankSinatra

[profile frank@concerts]
credential_process = vegas-credentials assume --profile=frank@concerts
vegas_role_arn=arn:aws:iam::222222222222:role/SingerRole
vegas_source_profile=default

  2. Configure another role with standard role_arn and source_profile:

    # ~/.aws/config
[profile frank@movies]
role_arn=arn:aws:iam::333333333333:role/ActorRole # Important: NO prefix here!
source_profile=frank@concerts # Important: NO prefix here!

  3. Do some chaining:

    aws sts get-caller-identity --profile frank@movies

Terraform

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

# Again, nothing special here, just normal profile configuration…
provider "aws" {
  profile = "frank@concerts"
  region  = "eu-west-3"
}

data "aws_region" "current" {}

output "album_name" {
  value = "Sinatra & Sextet: Live in ${
    replace(
      regex("[a-zA-Z]+\\)$", data.aws_region.current.description),
      ")",
      ""
    )
  }"
}

Why yet another tool?

Reasons

There are already a bazillion ways to assume an IAM Role with MFA, but most existing open source tools in this scene either:

  • export the temporary session credentials to environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN)
  • write new sections for “short-term” credentials into ~/.aws/credentials (for example like aws-mfa does)

The downside with those approaches is that using most of these tools (especially the ones that export environment variables) means you lose the built-in ability to automatically refresh the temporary credentials and/or the temporary credentials are “cached” in some custom location or saved into ~/.aws/credentials.

This tool follows the concept that you should never put temporary credentials into ~/.aws/credentials and also provides a mechanism to automatically refresh session credentials (if the AWS tool you use supports that).

Most AWS provided tools & SDKs already support MFA & assuming a role out of the box, but what they lack is a nice integration with Yubikey Touch, requiring you to manually type in or copy-paste the MFA TOPT token code: This utility instead integrates with ykman Yubikey CLI so just a quick touch is enough!

Also with this tool, even if you use Yubikey Touch, you still get the possibility to input MFA TOPT token code manually from an Authenticator App (for example if you don't have your Yubikey on your person).

Then there's tools such as AWS CDK that does not support caching of assumed temporary credentials, requiring the user to input the MFA TOPT token code for every operation with cdk CLI – which makes the developer experience really cumbersome.

To recap, most existing solutions (I've seen so far) to these challenges either lack support for automatic temporary session credential refreshing, cache/write temporary session credentials to suboptimal locations and/or don't work that well with AWS tooling (i.e. requiring one to create “wrappers”):

This vegas-credentials is yet another tool, but it plugs into the standard credential_process AWS configuration so most of AWS tooling (CLI v2, SDKs and CDK) will work out-of-the-box with it and also support automatic temporary session credential refreshing.

Alternatives

There are many great existing solutions out there that solve similar problems and I've tried to learn from them as much as I can. This tool that I've built is definitely not better than for example 99designs/aws-vault in many scenarios as it has a lot more features, more contributors and been around some time. Instead the comparison below focuses on the specific use case this tool tries to solve (i.e. providing a nice UX for assuming a role with MFA using credential_process to support as many AWS tools as possible without having to use wrapper scripts).

Feature/Info aripalo/vegas-credentials 99designs/aws-vault broamski/aws-mfa meeuw/aws-credential-process
Github Stats GitHub Repo stars
GitHub last commit		 GitHub Repo stars
GitHub last commit		 GitHub Repo stars
GitHub last commit		 GitHub Repo stars
GitHub last commit
credential_process
with MFA + Assume Role		 [*2] [*4]
Automatic Temporary Session Credential Refresh [*3] [*5]
Yubikey [*1] [*1] [*6] [*10]
Cache Encryption [*7]
Cache Invalidation on config change ? [*8]
Cached Performance ⚡️
<100ms[*11]		 ⚡️
<50ms		 ⚡️
[*9]		 🐢
>400ms[*11]
Comprehensively Unit Tested ?
Installation methods brew, scoop, npm brew, port, choco, scoop, pacman, pkg, zypper, nix-env, asdf pip brew, pip

Please, correct me if I'm wrong above or there's any other good alternatives!

Notes

99designs/aws-vault

  1. Yubikey support in 99designs/aws-vault is not perfect:

    • Using multiple Yubikeys is cumbersome due to having to pass in Yubikey device serial as environment variable for each command – vs. this tool allows setting device serial via configuration per profile (no need to remember the serial for each Yubikey).
    • Uses deprecated ykman commands.
    • See also point 2 about credential_process, assumed roles and Yubikeys.

  2. Does not seem to play well with credential_process:

  3. This pretty much relates to point 1: For AWS tools to automatically request refreshed credentials, the credentials need to be provided via either the multiple standard methods or via credential_process.

broamski/aws-mfa

  1. Works differently by writing temporary session credentials into ~/.aws/credentials, so therefore no credential_process support at all.

  2. If temporary session credentials written into ~/.aws/credentials by broamski/aws-mfa are expired, AWS tools will fail and you must invoke aws-mfa command manually to fetch new session credentials. There is no (automatic) way for AWS tools to trigger aws-mfa command.

  3. You may use Yubikey, but it requires you to manually copy-paste the value from ykman or Yubikey Manager GUI. No "touch integration".

  4. Temporary session credentials are written in plaintext into ~/aws/credentials. Besides being available as plaintext, it pollutes the credentials file.

  5. Configuration is only provided via flags to aws-mfa CLI command, so each time you execute aws-mfa it will use the flags provided. But, the gotcha is that again you need to execute aws-mfa manually always.

  6. As temporary session credentials (or "short-term" as aws-mfa calls them) are stored as plaintext into ~/aws/credentials, there is no delay since AWS tools can directly read them from that file.

meeuw/aws-credential-process

  1. Does not support multiple Yubikey devices.

  2. Performance

    Hyperfine benchmark for retrieving cached temporary session credentials:

    perf


Design

Cache Mechanism

This tool caches temporary session credentials to disk. In the background it uses dgraph-io/badger which is a fast SSD-optimized key-value store for Go and importantly supports Time-to-Live attributes for data (useful for temporary session credential expiration).

The data is stored into the key-value store with AES-256-CTR encryption. The encryption secret is derived from the environment (system boot time, hostname and user UID). So this is not a 100% secure setup, but it's slightly “better” compared to what broamski/aws-mfa does or how AWS CLI caches to ~/.aws/cli/cache: At least it provides “security by obscurity” solution against rogue scripts that might try to steal your credentials. And then again, it's only caching temporary session credentials – which you should aim to keep short-lived!

Reason why it caches temporary session credentials in the first place is to create a better user experience with AWS tools that don't support temporary session credential caching with assumed roles.

By default, the cached data is invalidated if the environment changes (system boot time, hostname and user UID), but this is okay since this tool will then query STS for new temporary session credentials and add them to cache.

Also this tool invalidates cached credentials if their expiration time is within 10 minutes and retrieves new ones. This functionality matches to botocore. You may disable this with --disable-mandatory-refresh CLI flag.

Never touch ~/.aws/credentials

TODO

Never export credentials to environment

TODO

Owner
Ari Palo
Lead Technologist at Alma Media
Ari Palo
https://github.com/aripalo/vegas-credentials
Comments
  • Yubikey code not requested if password not configured

    Yubikey code not requested if password not configured

    Describe the bug When using a Yubikey OATH account that's not configured with a password, assume returns early and doesn't proceed to request a code from the key.

    System (please complete the following information): Tested on 0.12.6 and main

    To Reproduce Steps to reproduce the behavior:

    1. Setup a Yubikey, but do NOT run ykman oath access change to configure a password as the docs recommend
    2. Run assume with a correctly configured --profile

    Expected behavior Prompt appears and vegas-credentials requests an OATH code from the key, therefore after touching the key, a Yubikey TOTP code is input.

    Output Log ends in:

    DEBUG: 2022/05/09 17:01:42 setup.go:125 Yubikey: device is available
DEBUG: 2022/05/09 17:01:42 setup.go:132 Yubikey: OATH application is password protected

    Additional context Setting up a password, or building locally with yubikey.go#L91-L102 commented out fixes the issue.

    It seems like y.GetPassword() returns a non-nil error Key not found, hence terminating the Code function.

  • Rewrite & Documentation Website

    Rewrite & Documentation Website

    Rewritten code base:

    • Simplify
    • Better error handling
    • Improved Yubikey support via aripalo/ykmangoath with support for password protected OATH applications (fixes #12)
    • Better Yubikey state management via finite state machine implementation
    • Improved (Terminal) UX via aripalo/go-delightful
    • Log file with rotation
    • Version output (fixes #14)

    Documentation website

    • More clear structure
    • Implemented with docusaurus
  • Refactor

    Refactor

    • Use repository pattern for cache implementation
    • Unify cache implementation method names
    • Document packages & methods
    • Reorganize package structure
    • Lot or minor refactoring
  • fix: use new MutexControl

    fix: use new MutexControl

    Uses an actual file as the mutex, not directory.

    Implementation from next version of vegas-credentials, but introduced here to fix issues with existing users.

  • Support parallelism

    Support parallelism

    Tools such as Terraform (via parallelism=n – which defaults to 10) can invoke the vegas-credentials credential process concurrently, leading into problematic situations where multiple vegas-credentials processes are and/or:

    1. prompting the user for MFA
    2. accessing the filesystem cache which results into error as:

      Badger obtains a lock on the directories so multiple processes cannot open the same database at the same time

    To circumvent this, we use alexflint/go-filemutex to assign a lock to a specific lock-control directory at the beginning of the command and unlocking the directly once the main command (getCredentials function) has been executed.

  • Fix: Hide sensitive input

    Fix: Hide sensitive input

    Fixes #28 by using Go's golang.org/x/term package's ReadPassword method which is aimed for exactly these kind of purposes.

    The Yubikey OATH application password is hidden: vegas-input-password

    … but the OATH TOTP (MFA Token) input is still visible (if provided via CLI stdin): vegas-input-token

  • Using the flag --no-gui with a password protected YubiKey, the password is not masked in CLI

    Using the flag --no-gui with a password protected YubiKey, the password is not masked in CLI

    Describe the bug I run vegas-credentials with --no-gui and use a password protected yubikey It then asks me to type in my 🔑 Yubikey: Input OATH password:, but typing the password is not masked in the CLI.

    🔑 Yubikey: Input OATH password: 
my-super-secret-password

    System (please complete the following information):

    • OS: Linux
    • OS Version: Zorin OS 15.3 x86_64
    • Tool Version: 0.13.5
    • Tool Installation Method: brew
    • Credential Process invoked via: aws

    Expected behavior Password is either not printed to CLI, or letters are masked with a * or similar

    🔑 Yubikey: Input OATH password: 
***************
  • feat: resolve fallback value for role session name

    feat: resolve fallback value for role session name

    Fixes #22.

    During the refactor to use AWS Go SDK v2, the internal logic was used from using GetSessionToken operation to using AssumeRole operation.

    With AssumeRole operation, the RoleSessionName value is required, which causes a crash if none was provided.

    Change from GetSessionToken to AssumeRole was initially a mistake but after some consideration, it actually feels more valid since:

    1. AssumeRole operation respects Maximum session duration setting set for the given role.
    2. An account Root can't use AssumeRole (and really, one should not use root to perform operations with vegas credentials)

    See comparison of AssumeRole vs. GetSessionToken.

    When using AssumeRole, one MUST provide Role Session Name. This PR adds functionality where a fallback value is set if user has not provided a value via role_session_name property in shared configuration file.

    The fallback uses a logic where it tries to get one of the following values:

    1. User Full Name: e.g. John Doe
    2. User (System) Name: e.g. john
    3. System Hostname: e.g. work-laptop

    If none of them (in order) do not contain value with more than 2 characters, then OS & System Architecture is used (e.g. darwin_amd64).

    This way, there will always be some what meaningful session identifier assigned to AssumeRole operation.

  • feat: fix cache path resolving

    feat: fix cache path resolving

    Instead of our (buggy) self-implemented cross-platform cross-platform directory resolving, use Go os.UserCacheDir from Go Standard Library (which supports Win/Mac/Linux etc with also $XDG_CACHE_HOME support).

  • chore(deps): bump terser from 5.12.1 to 5.14.2 in /website

    chore(deps): bump terser from 5.12.1 to 5.14.2 in /website

    Bumps terser from 5.12.1 to 5.14.2.

    Changelog

    Sourced from terser's changelog.

    v5.14.2

    • Security fix for RegExps that should not be evaluated (regexp DDOS)
    • Source maps improvements (#1211)
    • Performance improvements in long property access evaluation (#1213)

    v5.14.1

    • keep_numbers option added to TypeScript defs (#1208)
    • Fixed parsing of nested template strings (#1204)

    v5.14.0

    • Switched to @​jridgewell/source-map for sourcemap generation (#1190, #1181)
    • Fixed source maps with non-terminated segments (#1106)
    • Enabled typescript types to be imported from the package (#1194)
    • Extra DOM props have been added (#1191)
    • Delete the AST while generating code, as a means to save RAM

    v5.13.1

    • Removed self-assignments (varname=varname) (closes #1081)
    • Separated inlining code (for inlining things into references, or removing IIFEs)
    • Allow multiple identifiers with the same name in var destructuring (eg var { a, a } = x) (#1176)

    v5.13.0

    • All calls to eval() were removed (#1171, #1184)
    • source-map was updated to 0.8.0-beta.0 (#1164)
    • NavigatorUAData was added to domprops to avoid property mangling (#1166)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • Missing RoleSessionName crashes

    Missing RoleSessionName crashes

    During the refactor to use AWS Go SDK v2, the internal logic was used from using GetSessionToken operation to using AssumeRole operation.

    With AssumeRole operation, the RoleSessionName value is required, which causes a crash if none was provided.

  • Terraform aws provider profile ignored in some cases

    Terraform aws provider profile ignored in some cases

    Describe the bug Different results with aws provider profile and AWS_PROFILE env variable

    System (please complete the following information):

    • OS: Linux
    • OS Version: 5.15.79.1
    • Tool Version: 0.14.4
    • Tool Installation Method: manual
    • Credential Process invoked via: terraform

    To Reproduce Steps to reproduce the behavior:

    1. Try to run terraform with aws provider profile variable set to "env-qa" (AWS_PROFILE env not set)
    2. Terraform will try to to apply to "env-prod" env actually
    3. run AWS_PROFILE=env-qa terraform apply
    4. Terraform will try to to apply to "env-qa" env

    Expected behavior As I understand it should work in the same way

    Additional context terraform config:

    variable "aws_profile" { default = "env-qa" }

    terraform { required_version = ">= 1.2.3" required_providers { aws = { source = "hashicorp/aws" version = "4.23.0" } } backend "s3" { profile = "env-prod" encrypt = true dynamodb_table = "terraform-lock" bucket = "env-terraform" key = "infra/main.tf" region = "eu-north-1" } }

    provider "aws" { profile = var.aws_profile default_tags { tags = { Service = "Charge4Go" Environment = local.env Owner = "terraform" } } }

  • docs: explain how to use multiple MFA virtual devices for same account

    docs: explain how to use multiple MFA virtual devices for same account

    Explains how to set up multiple "credential profiles" and "role profiles" to be able to use both Google Authenticator and Yubikey to provide TOTP for the same AWS account assuming the same target role.

    Fixes aripalo/vegas-credentials#38

  • Docs: Explain how to use multiple virtual MFA devices for same account

    Docs: Explain how to use multiple virtual MFA devices for same account

    The documentation should be clearer on how to use multiple virtual MFA devices since AWS supports them. One use case for example could be using both Google Authenticator and Yubikey.

  • Docs: clarify configuration properties placement requirements

    Docs: clarify configuration properties placement requirements

    Describe the bug Documentation could state that certain properties can be defined only in the source profile. These are:

    • vegas_yubikey_serial,
    • vegas_yubikey_label,
    • and most likely mfa_serial

    It makes technically kind of sense to define these properties only once in the source profile as there may be only a single MFA in AWS at the moment. However first time users need not understand how this AWS limitation affects configuration (eg. they may think sections are merged).

    System (please complete the following information):

    • OS: Linux
    • OS Version: N/A
    • Tool Version: e57a6009bc6abf91dac3c4d57a6e0842887554d1
    • Tool Installation Method: self-compiled
    • Credential Process invoked via: directly (debugging)

    To Reproduce $HOME/.aws.config where vegas_yubikey_serial and vegas_yubikey_label are not found:

    [profile work]
region = eu-central-1
mfa_serial = arn:aws:iam::431378790335:mfa/radek.dvorak
output = json

[profile sandbox]
credential_process = /home/radek/bin/vegas-credentials assume --profile=sandbox
vegas_source_profile = work
vegas_role_arn = arn:aws:iam::186583659222:role/Some-Role
vegas_yubikey_serial= 1234567
vegas_yubikey_label = aws/iam/431378790335:radek.dvorak

    Expected behavior Documentation states which properties are recognized in which ini section.

  • AWS_PROFILE & language SDK compatibility?

    AWS_PROFILE & language SDK compatibility?

    Since profiles are configured to aws/.config and not in aws/.credentials, do scripts and language SDKs (go, java etc.) that rely on AWS_PROFILE environment variable work with this? throwing --profile foo to every single aws-cli and other tool command is tedious and prone to break in CI

Related tags
Public API Wrappers aws yubikey amazon-web-services mfa credential-provider multifactor-authentication ykman credential-helper credential-process
Assume-shell - A tool to create a shell with AWS environment credentials set

assume-shell This tool will request AWS credentials for a given profile/role and

Sep 29, 2022
Assumes roles in AWS that have useful role session tags
 Assumes roles in AWS that have useful role session tags

ghaoidc Assumes roles in AWS that have useful role session tags GitHub Actions has (almost) launched OpenID Connect federation. This means you can ass

Jul 21, 2022
csg ("Credential Storage with Go") - a tool to organize the storage of credentials found during a CTF or Pentest.
 csg (

csg csg ("Credential Storage with Go") - a tool to organize the storage of credentials found during a CTF or Pentest. Check out my blog on csg for mor

Dec 9, 2021
It is a package and command line application that provides you to store encrypted credentials/secrets in your repository.

sypher[ ⚠️ Work in progress] sypher provides you to store your credentials and secrets as encrypted in your repository. Usage Install the command line

Feb 23, 2022
Aws-console-plugin - The current HashiCorp Vault AWS Secret Engine currently supports the creation of short lived API keys using the IAM User

aws-console-plugin Background The current HashiCorp Vault AWS Secret Engine curr

Feb 7, 2022
aws credential solution by Golang
 aws credential solution by Golang

goCred Aws credential solution by Golang (Works on Linux, Arm, and Windows) v0.3 Detection of unauthorized access Locks access in case of repeated una

Oct 23, 2021
⚛️ aws credential setup tool ⚛️

awscreds What is awscreds? awscreds is CLI tool to setup aws credentials with MFA device. Requirement go 1.17.x or earlier Installation go install git

Dec 9, 2021
🔗 Generate a temporary login URL for the AWS Console

AWS Console ?? Generate a temporary login URL for the AWS Console Installation Prebuilt binaries for several architectures can be found attached to an

Dec 20, 2022
Automatically roll your AWS IAM access key (aws_access_key_id) and secret key (aws_secret_access_key).

roll-it Keep your AWS Credentials fresh ?? on Windows, Mac, Linux (arm or x86)! What it Does Programmatically rotate your AWS IAM access keys and secr

Jan 6, 2023
lightweight, self-service AWS IAM management
 lightweight, self-service AWS IAM management

Contents Overview Architecture Prerequisites Workflow What groups exist? Who do I ask for access? What groups am I in? How do I add group members? How

Jan 16, 2022
Self-service account creation and credential reset for FreeIPA
 Self-service account creation and credential reset for FreeIPA

Auri Auri stands for: Automated User Registration IPA Auri implements self service account creation and reset of credentials for FreeIPA Features Requ

Dec 21, 2022
starenv allows populating environmental variables from variety of sources, such as AWS Parameter Store, GPG encrypted files and more, with extreme ease.

starenv (*env) allows populating environmental variables from variety of sources, such as AWS Parameter Store, GPG encrypted files and more, with extr

Nov 25, 2022
Send IAM-signed requests to AppSync and API Gateway

golang-iam-requests Provides helpers to send IAM-signed requests to AWS AppSync and AWS API Gateway services Generates a v4 sign using IAM credentials

Apr 21, 2022
A Pulumi multi language component to create an IAM role for an EKS cluster

xyz Pulumi Component Provider (Go) This repo is a boilerplate showing how to create a Pulumi component provider written in Go. You can search-replace

Oct 27, 2021
No need for IAM users when we have Yubikeys

cloudkey As far as I can tell, the only justification for AWS IAM users that I hear nowadays is for usage on non-interactive systems outside of AWS, e

Dec 5, 2022
Easily manage your github credentials
 Easily manage your github credentials

HUB ADMIN Hub Admin is a command-line tool managing your github credentials Installation go get github.com/crewdevio/HubAdmin How to use Open he

Oct 20, 2021
Serverless SOAR (Security Orchestration, Automation and Response) framework for automatic inspection and evaluation of security alert
 Serverless SOAR (Security Orchestration, Automation and Response) framework for automatic inspection and evaluation of security alert

DeepAlert DeepAlert is a serverless framework for automatic response of security alert. Overview DeepAlert receives a security alert that is event of

Jan 3, 2023
Keygen SDK for Go. Integrate license activation and automatic updates for Go binaries.

Keygen Go SDK Package keygen allows Go programs to license and remotely update themselves using the keygen.sh service. Usage keygen.Validate(fingerpri

Dec 18, 2022
📼 Automatic Twitch Recorder

?? rekōdā - Automatic Twitch Recorder Rekōdā, レコダ - means Recorder in Japanese Is a CLI tool inspired by streamlink but with more capabilities. Mainly

Dec 7, 2022