Assume-shell - A tool to create a shell with AWS environment credentials set

assume-shell

This tool will request AWS credentials for a given profile/role and start a new shell with them in the environment.

Installation

If you have a working Go >=1.17 environment:

$ go install github.com/comebackoneyear/assume-shell/cmd/assume-shell@latest

If you have a working Go <1.17 environment:

$ go get -u github.com/comebackoneyear/assume-shell/cmd/assume-shell

Configuration

Setup a profile for each role you would like to assume in ~/.aws/config.

For example:

~/.aws/config:

[profile work]
region = eu-north-1

[profile stage]
# Stage AWS Account.
region = eu-west-1
role_arn = arn:aws:iam::00000001234:role/Admin
source_profile = work
duration_seconds = 43200

[profile prod]
# Production AWS Account.
region = us-east-1
role_arn = arn:aws:iam::00000005678:role/Deploy
source_profile = work
duration_seconds = 43200

~/.aws/credentials:

[work]
aws_access_key_id = <AWS_ACCESS_KEY_ID>
aws_secret_access_key = <AWS_SECRET_ACCESS_KEY>

Reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html

In this example, we have three AWS Account profiles:

  • work
  • stage
  • prod

Each member of the org has their own IAM user and access/secret key for the work AWS Account. The keys are stored in the ~/.aws/credentials file.

The stage and prod AWS Accounts have IAM roles named Admin and Deploy. The assume-shell tool helps a user authenticate (using their keys) and then assume the privilege of the the role, even across AWS accounts! The assumed shell will be valid for duration_seconds, default 900 seconds, it can not be greater than the role allows.

Usage

Start a new shell with the role stage:

$ assume-shell stage
Exported assumed role credentials for profile stage, expires in 11 hours 59 minutes
$

The assume-shell tool sets AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN environment variables and then executes the $SHELL. In addition the ASSUMED_PROFILE variable will be set to whatever profile was assumed. It will also set the environment variable ASSUMED_PROFILE_EXPIRES to a unix timestamp when the credentials will expire, useful if you want to implement something in your shell to detect when it happens.

TODO

  • Use default profile on empty argv
  • Add MFA support
  • Add brew installer or MacOS
  • Add Support to execute commands
  • Add support to configure shell prompt to show active profile
  • Test and add support for multiple shells (zsh, fish, powershell)

Credits

Heavily inspired by https://github.com/remind101/assume-role

Owner
Erik Jansson
Lead Infrastructure Engineer @lifesum
Erik Jansson
https://github.com/comebackoneyear/assume-shell
Similar Resources

A package for access aws service using AWS SDK for Golang

goaws 🚀 A package for access aws service using AWS SDK for Golang Advantage with goaws package Example for get user list IAM with AWS SDK for Golang

Nov 25, 2021

Aws-parameter-bulk - Export AWS SSM Parameter Store values in bulk to .env files

aws-parameter-bulk Utility to read parameters from AWS Systems Manager (SSM) Par

Oct 18, 2022

Aws-console-plugin - The current HashiCorp Vault AWS Secret Engine currently supports the creation of short lived API keys using the IAM User

aws-console-plugin Background The current HashiCorp Vault AWS Secret Engine curr

Feb 7, 2022

Aws-cognito-demo-go - Source code for AWS Cognito in Go

AWS Cognito Demo in Go Source code for YouTube series, AWS Cognito in Go - https

Dec 10, 2022

Una prueba técnica: Servicio Golang REST API local, sobre Docker, gRPC, AWS Serverless y sobre Kubernetes en AWS EC2

Una prueba técnica: Servicio Golang REST API local, sobre Docker, gRPC, AWS Serverless y sobre Kubernetes en AWS EC2

May 7, 2022

Aws-cdk-go-examples - Example projects using the AWS CDK by Golang

aws-cdk-go-examples Example projects using the AWS CDK by Golang Useful commands

Nov 24, 2022

A command-line tool to pretty print your system's PATH environment variable.

A command-line tool to pretty print your system's PATH environment variable.

Description A command-line tool to pretty print your system's PATH environment variable. The output paths are colorized if they have special associati

Nov 9, 2022

Simple tool to search tagged resources between all AWS resouces

Welcome to Cloud Inventory Tags 👋 Simple tool to search tagged resources around all AWS Account Installation MacOS / OSX

Jan 26, 2022

rpCheckup is an AWS resource policy security checkup tool that identifies public, external account access, intra-org account access, and private resources.

rpCheckup is an AWS resource policy security checkup tool that identifies public, external account access, intra-org account access, and private resources.

rpCheckup - Catch AWS resource policy backdoors like Endgame rpCheckup is an AWS resource policy security checkup tool that identifies public, externa

Dec 26, 2022
Comments
  • Added expires information

    Added expires information

    Updated README with duration configuration Added expiry information before shell is started Added expiry shell variable Launch default profile on empty argv

Related tags
Public API Wrappers go aws utility assume-role awsudo
Assume AWS IAM roles from GitHub Actions workflows with no stored secrets
 Assume AWS IAM roles from GitHub Actions workflows with no stored secrets

AWS IAM roles for GitHub Actions workflows Background and rationale GitHub Actions are a pretty nice solution for CI/CD. Where they fall short is inte

Feb 12, 2022
csg ("Credential Storage with Go") - a tool to organize the storage of credentials found during a CTF or Pentest.
 csg (

csg csg ("Credential Storage with Go") - a tool to organize the storage of credentials found during a CTF or Pentest. Check out my blog on csg for mor

Dec 9, 2021
Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure.
 Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure.

tutor-pet API Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure. Macro architecture: Code architecture: Pre-Re

Aug 17, 2022
Quick add or delete ASN/AS-SET to your AS-SET through RIPE RESTful API

RIPE AS-SET updater Quick add or delete ASN/AS-SET to your AS-SET through RIPE RESTful API. Requirenments You need to add "auth:" attribute in mntner

Apr 19, 2022
Easily manage your github credentials
 Easily manage your github credentials

HUB ADMIN Hub Admin is a command-line tool managing your github credentials Installation go get github.com/crewdevio/HubAdmin How to use Open he

Oct 20, 2021
It is a package and command line application that provides you to store encrypted credentials/secrets in your repository.

sypher[ ⚠️ Work in progress] sypher provides you to store your credentials and secrets as encrypted in your repository. Usage Install the command line

Feb 23, 2022
The Fabric Token SDK is a set of API and services that lets developers create token-based distributed application on Hyperledger Fabric.

The Fabric Token SDK is a set of API and services that let developers create token-based distributed application on Hyperledger Fabric.

Dec 14, 2022
Simple no frills AWS S3 Golang Library using REST with V4 Signing (without AWS Go SDK)

simples3 : Simple no frills AWS S3 Library using REST with V4 Signing Overview SimpleS3 is a golang library for uploading and deleting objects on S3 b

Nov 4, 2022
Integrate AWS EKS Anywhere cluster with AWS Services
 Integrate AWS EKS Anywhere cluster with AWS Services

This article provides step-by-step instruction on integrating AWS EKS Anywhere with AWS Services so the applications running on customer data center can securely connect with these services.

Mar 6, 2022
Apis para la administracion de notifiaciones, utilizando servicios como AWS SNS y AWS SQS

notificacion_api Servicio para envío de notificaciónes por difusión en AWS SNS Especificaciones Técnicas Tecnologías Implementadas y Versiones Golang

Jan 7, 2022