Assume roles between AWS Control Plane accounts and Target accounts safely and securely.
go get -u github.com/devsecops/assumer-go/cmd/assumer
go get -u github.com/devsecops/assumer-go
assumer -h
assumer -a <target-account-number> -r <target-account-role> -A <control-account-number> -R <control-account-role>
-A, --control-account Control Account Number
-R, --control-role Control Account Role
-a, --target-account Target Account Number
-r, --target-role Target Account Role
-g, --gui AWS Console GUI
--profile AWS Profile
--region AWS Region
package main
import "github.com/pmbenjamin/assumer"
func main() {
// 1. get MFA Token from user
token = "123456"
// 2. Construct Control Plane
controlPlane := &assumer.ControlPlane{Plane: assumer.Plane{AccountNumber: "123456789012", RoleArn: "arn:aws:iam::123456789012:role/control-role", Region: "us-west-2"}, MfaToken: token}
// 3. Construct Target Plane
targetPlane := &assumer.targetPlane{Plane: assumer.Plane{AccountNumber: "123123123123", RoleArn: "arn:aws:iam::123123123123:role/target-plane"}}
// 4. Assume Control Plane Role
controlCreds, err := controlPlane.Assume()
if err != nil {
fmt.Println(err)
}
// 5. Assume Target Plane Role
targetCreds, err := targetPlane.Assume(controlCreds)
if err != nil {
fmt.Println(err)
}
// Now you have Target Plane Credentials...
targetCreds.Credentials.AccessKey
targetCreds.Credentials.SecretKey
targetCreds.Credentials.Region
}
Assumer expects the config file to be called assumer
and supports multiple configuration formats (e.g. TOML
, YAML
, & JSON
).
Assumer expects the configuration file to be located in $HOME/.assumer/config.xyz
or in the current working directory.
The config file is used if the user assumes role via assumer [target-account-name]
or if the user did not pass Control Plane/Target Plane parameters.
[myControlAccount]
account = 123456789012
role = "my/control/iam/role"
region = "us-west-2"
[myTarget]
[myTarget.prod.da]
account = 123456789012
region = "us-west-2"
role = "my/target/iam/role"
[myTarget.prod.ro]
account = 123456789012
region = "us-west-2"
role = "my/target/iam/role"
- Open AWS Console in browser with
-g
or--gui
flag - Assume into target accounts with a simple command:
assumer <target-account-name>
- Support different configuration formats (e.g.
JSON
,YAML
) - Distribute binary via Homebrew, so users can
brew install assumer