GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → vancluever → aws-runas

vancluever / aws-runas

Licence: Apache-2.0 License
Run commands or shell under an AWS IAM role

Programming Languages

ruby
36898 projects - #4 most used programming language
shell
77523 projects

Labels

awsiamsts

Projects that are alternatives of or similar to aws-runas

terraform-aws-iam-assumed-roles
Terraform Module for Assumed Roles on AWS with IAM Groups Requiring MFA
Stars: ✭ 33 (+17.86%)
Mutual labels:  iam, sts
iam-role-injector
Assumes an IAM role via awscli STS call, injecting temporary credentials into shell environment
Stars: ✭ 27 (-3.57%)
Mutual labels:  iam, sts
alks-cli
CLI for working with the ALKS service.
Stars: ✭ 40 (+42.86%)
Mutual labels:  iam
terraform-aws-iam-user
A Terraform module to create and manage Identity and Access Management (IAM) Users on Amazon Web Services (AWS). https://aws.amazon.com/iam
Stars: ✭ 17 (-39.29%)
Mutual labels:  iam
Transformer-ocr
Handwritten text recognition using transformers.
Stars: ✭ 92 (+228.57%)
Mutual labels:  iam
privx-on-aws
PrivX - Just-in-time Access Management
Stars: ✭ 18 (-35.71%)
Mutual labels:  iam
aa-policy-validator
Validate all your Customer IAM Policies against AWS Access Analyzer - Policy Validation
Stars: ✭ 42 (+50%)
Mutual labels:  iam
casdoor
An Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML and CAS, QQ group: 645200447
Stars: ✭ 4,147 (+14710.71%)
Mutual labels:  iam
iamzero
Identity & Access Management simplified and secure.
Stars: ✭ 192 (+585.71%)
Mutual labels:  iam
ec2-tags-env
☁️ Import AWS EC2 tags as environment variables
Stars: ✭ 59 (+110.71%)
Mutual labels:  iam
chef-handler-sns
Chef report handler to send Amazon SNS notifications on failures or changes.
Stars: ✭ 12 (-57.14%)
Mutual labels:  iam
riam
AWS IAM inspired policy engine in Rust
Stars: ✭ 19 (-32.14%)
Mutual labels:  iam
terraform-aws-frontend
Collection of Terraform modules for frontend app deployment on AWS.
Stars: ✭ 31 (+10.71%)
Mutual labels:  iam
aws-cdk-github-oidc
CDK constructs to use OpenID Connect for authenticating your Github Action workflow with AWS IAM
Stars: ✭ 59 (+110.71%)
Mutual labels:  iam
gtoken
Securely access AWS services from GKE cluster
Stars: ✭ 43 (+53.57%)
Mutual labels:  iam
bakery
(Not maintained anymore) Bakery - Centralised AWS identity and access management solution for multiple accounts
Stars: ✭ 50 (+78.57%)
Mutual labels:  iam
mod authnz jwt
An authentication module for Apache httpd using JSON Web Tokens
Stars: ✭ 74 (+164.29%)
Mutual labels:  iam
aws-leastprivilege
Generates an IAM policy for the CloudFormation service role that adheres to least privilege.
Stars: ✭ 85 (+203.57%)
Mutual labels:  iam
pyark
CyberArk Enterprise Password Vault API CLI tool
Stars: ✭ 25 (-10.71%)
Mutual labels:  iam
access-controller
A highly scalable open-source implementation of an access-control engine inspired by Google Zanzibar-"Google’s Consistent, Global Authorization System"
Stars: ✭ 61 (+117.86%)
Mutual labels:  iam
View All Similar Projects ➔

Build Status Gem Version Codecov

aws-runas

asciicast

The problem: You manage AWS across several different roles and need to use tools outside of the regular aws-cli toolchain.

The solution: Use aws-runas :)

Features

There are a few other tools and shell scripts out there that do the same thing, but there are some differentiators in this gem:

  • Support for your roles already laid out in ~/.aws/config.
  • These roles can also be copied to a local aws_config file and pushed to source control to ensure your deployment targets live with source.
  • Support for single-run commands (supplied on the command line) or interactive shell sessions (by supplying no commands).
  • MFA will be auto-detected and only prompted for if necessary (allowing one to assume a role that does not have a MFA serial supplied).
  • Session tokens can be acquired without assuming a role by adding the appropriate mfa_serial into the [default] profile and running aws-runas with --no-role. Subsequent uses of aws-runas after this will not prompt you for MFA (useful for tooling that needs to assume multiple roles off the same session token).
  • The session duration can be controlled with the --duration parameter. This allows you to change the session expiration if you require a period longer or shorter than an hour. The actual ranges you can choose with this setting depend on the account you are using and any configured maximums set on your role. More details can be found in the API documentation for GetSesionToken and AssumeRole.

How it Works

Roles are assumed, or session tokens are simply acquired (if --no-role is specified) via the AssumeRole or the GetSessionToken AWS STS API calls. After this, your command or shell is launched with the standard AWS credential chain environment variables set:

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • AWS_SESSION_TOKEN

Additional Variables

In addition to the above, the following environment variables are set to help you gather additional information about the role and environment you are running under:

  • AWS_RUNAS_ASSUMED_ROLE_ARN - set when a role is assumed (not set if --no-role is used)
  • AWS_ROLE_SESSION_NAME - contains the assumed role's session name (not set if --no-role is used). The format is aws-runas-session_ACCTID_USERNAME_TIMESTAMP when the user has access to GetCallerIdentity, and aws-runas-session_TIMESTAMP format when they do not.
  • AWS_RUNAS_PROFILE - set with the profile used when aws-runas was run.
  • AWS_REGION and AWS_DEFAULT_REGION - set with the region name defined in the profile being used.
  • AWS_SESSION_EXPIRATION - set with the expiry timestamp in UTC.
  • AWS_SESSION_EXPIRATION_UNIX - set with the expiry timestamp in Unix time.

Fancy Bash/Zsh Prompt

If you use aws-runas without any options and your default shell is Bash or Zsh, a colorized prompt will appear with the profile that is in use if a role is assumed, or a simple (AWS) indicator added to the prompt if a session token is only obtained. See the video at the start of the doc for a demo!

Shell Integration Functions

2 functions currently get exported when you run under one of the two supported shells:

  • aws_session_expired, which reads AWS_SESSION_EXPIRATION_UNIX (see above) and compares this with the current Unix timestamp supplied by date. It returns 0 on true and 1 on false, which can be used semantically in shell scripts.
  • aws_session_status_color, which works off of aws_session_expired to render either an ANSI color number (for bash) or a human readable color name (for zsh)
    • (red or 31) when aws_session_expired is true, (yellow or 33) otherwise.

Skipping the Fancy Prompt

If you are doing your own prompt customization based on aws-runas data and don't want the prompt modified, you can supply --skip-prompt to skip the prompt modification. The aforementioned integration functions will still be available to you however, which you can use in your own scripts.

Usage

Install the gem (gem install aws_runas), and the command can be run via aws-runas via your regular $PATH.

aws-runas: Run commands under AWS IAM roles

Usage:
  aws-runas [options] COMMAND ARGS

If COMMAND is omitted, the default shell ($SHELL, /bin/sh, or cmd.exe,
depending on your system) will launch.

[options] are:
  -n, --no-role         Get a session token only, do not assume a role
  -s, --skip-prompt     Do not launch interactive sessions with the fancy prompt
  -p, --path=<s>        Path to the AWS config file
  -r, --profile=<s>     The AWS profile to load (default: default)
  -d, --duration=<i>    The duration in seconds for temporary credentials (default: 3600)
  -v, --version         Print version and exit
  -h, --help            Show this message

--path is optional, and if omitted will default to the files in the following order:

  • aws_config, in the current working directory
  • ~/.aws/config, in your user directory.

Usage on Windows

aws_runas works on Windows platforms, but YMMV. The gem has been tested lightly on Cygwin and MSYS. Cygwin works great if you use the self-contained Ruby ecosystem. Operating on MSYS or bare Windows will probably work as well as any other Ruby gem. Running on WSL has not been tested, but as long as you can get the minimum required Ruby version on it (currently >= 2.2.6), it should generally work.

OpenSSL Cert Bundle for Windows

Running aws-runas on native Windows may require the installation of a CA certificate bundle. To do this, you will need to get the certificate bundle from somewhere like here and set your SSL_CERT_FILE environment variable to go to the file.

Author

Chris Marchesi [email protected]

License

Copyright 2015-2018 Chris Marchesi

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].