AWS tools
Collection of tools to make working with AWS a bit easier without having to depend on awscli and python.
List of tools
| Tool | Overview |
|---|---|
| aws-dump | Dumps (a subset of) AWS resources metadata to JSON and optionally check if they are in terraform state. |
| iam-session | Creates new IAM session with role assumption and MFA support. |
| iam-public-keys | Returns the public SSH keys of an IAM user. |
| iam-sync-users | Create Linux users from IAM |
| iam-request-ssh-key-signature | Request SSH key signature from a CA managed by lambda-sign-ssh-key. |
| lambda-sign-ssh-key | Sign SSH keys from a CA using the caller's identity to set the principals. |
| iam-auth-proxy | Use IAM as identity provider for services. |
| cloudwatch-put-metric-data | Basic sending a metric value to cloudwatch |
| ec2-describe-instances | Describe EC2 instances by id or filter |
| ec2-ip-from-name | Given an EC2 name, list up to -max-results IPs associated with instances with that name |
| ecr-get-login | Prints out the command to run to auth with docker ECR. Check output flag for other options |
| ecs-dashboard | Shows ECS services and their version across multiple AWS accounts. |
| ecs-locate | Returns ip:port for containers of an ECS service |
| ecs-deploy | Update the container images of a task and update services to use it |
| ecs-run-task | Runs a task definition |
elb-resolve-elb-external-url |
ELB classic only (no ALB). Given a name returns the zone53 record associated with the ELB, including scheme (https returned if both available) and port. |
elb-resolve-alb-external-url |
Both ELB classic and ALB. Given a name, returns route53 record associated with the ELB. Does not include scheme or port as it doesn't check listeners. |
lambda-ping |
Pings a URL with lambda and publish a custom cloudwatch metric with the result. |
| s3-download | Download a single file from s3. |
| kms-env | Decrypts environment variables from SSM, KMS or Secret Manager and runs a command. |
Authentication
Every tool supports the standard AWS authentication as well as sts sessions with the following options
--region: Choose the aws-region to use--assume-role-arn: Assume the role before running. This is useful for cross account access.--assume-role-policy: Policy to use when assuming the role, can be used to drop permissions from the role.--mfa-serial-number: The new session will have its 2FA flag set.--mfa-token-code: The token code to use when using--mfa-serial-number. If not provided the tool will prompt for it.--session-duration: The length of the session, for example--session-duration=1h
Releases
All tools are available under different formats on the release page.
- Linux binaries (All tools)
- MacOS binaries (Most tools)
.debpackage.rpmpackage
Check the release tab for the latest release.
Checking release signatures
Download the signature from the release and use GPG to verify it
#!/usr/bin/env bash
version=7.4.0
os=linux
arch=amd64
wget https://github.com/hamstah/awstools/releases/download/v${version}/aws-dump_${version}_${os}_${arch} -O aws-dump
wget https://github.com/hamstah/awstools/releases/download/v${version}/aws-dump_${version}_${os}_${arch}.asc -O aws-dump.asc
gpg --verify aws-dump.asc aws-dump
The signing key is
Primary key fingerprint: 5FC5 40A9 A2F2 B87B 9C49 3D9E 7D40 F516 7D5C 7058
Checking the sha256 of binaries
- Get the
SHA256SUMSfiles#!/usr/bin/env bash version=7.4.0 wget https://github.com/hamstah/awstools/releases/download/v${version}/SHA256SUMS wget https://github.com/hamstah/awstools/releases/download/v${version}/SHA256SUMS.asc gpg --verify SHA256SUMS.asc SHA256SUMS - Check the sha256 of downloaded binaries
find . -type f ! -name "*.asc" ! -name SHA256SUMS | xargs -Ifile grep file SHA256SUMS | sha256sum --check