Skip to content

Home

Jump to bottom
Bent Terp edited this page Nov 20, 2017 · 3 revisions

Welcome to the aws-session-tool wiki!

Why?

We developed this for what we believe to be an easy way of controlling access to AWS CLI and Console in a way consistent with AWS's own recommended best practise of assuming roles using multi-factor authentication. We have split the process into 2 steps, get_session and assume_role. This was done in order to achieve compatibility with Terraform's support for assume-role.

What?

You need a computer running Bash (we test on Ubuntu, CentOS and OSX), and the AWS CLI installed. You also need to have your credentials in IAM and permission there to assume the role. Plus you should have an S3 bucket where you maintain the list of roles twhich can be assumed. .... And last, but not least, you need permission to assume the role in the target account!

How?

  • Create IAM users, groups and policies - you need a policy in the account with the IAM users that allow the users/groups to assume the role and a policy in the target account establishing the trust, and the role and it's permissions.
  • Create a bucket which is readable by the IAM users. We have that as part of our "self-service" policy which also allows password-changes and such.
  • Write a list of the roles which should be accessible from this AWS account. Format the list items like this:
    <ROLEID> <ROLEARN> <DISPLAYNAME> <EXTID>
    where <ROLEID> is the name you will use to assume the role, <ROLEARN> is the actual ARN of the role to assume, <DISPLAYNAME> is the name to show in the console and <EXTID> is the External ID which might be required for assuming the role - see AWS User Guide
  • Upload the list of roles to the bucket. Default name is session-tool_roles.cfg
  • Configure the S3 bucket where the list of roles are found for the profile in ~/.aws:
    aws configure set session-tool_bucketname <BUCKETNAME> --profile <PROFILENAME>
  • If you chose a non-default name for the list of roles, you also need to configure that:
    aws configure set session-tool_rolesfile <ROLESFILE> --profile <PROFILENAME>}
  • Optionally, if you have one set of credentials you normally use, you can make that the default profile and ignore all -p <PROFILENAME>:
    aws configure set default.session_tool_default_profile <PROFILENAME>
  • Download the list of roles:
    get_session -d -p <PROFILENAME>
  • Obtain a session and store it:
    get_session -s -p <PROFILENAME> <MFACODE>
  • We support tab completetion to make it easier to find the role you want to assume:
    assume_role <TAB>
  • Instead of assuming the role on the commandcli, you can also get a URL intended for pasting into a browser, giving you access to the AWS Console:
    get_console_url <TAB>

Feedback

Please open an issue if you have some feedback for us.

Clone this wiki locally