/get_sts_creds

Generate AWS STS credentials using sts::assumeRole and write those credentials to a config file for use with Amazon CodeDeploy

Primary LanguageGoGNU General Public License v3.0GPL-3.0

get_sts_creds

Generate AWS STS credentials using sts::assumeRole and write those credentials to a config file for use with Amazon CodeDeploy

Purpose

  • The purpose of get_sts_creds is almost identical to that of Amazon's own aws-codedeploy-session-helper tool.
  • The predominent motivation for the creation of this golang based app is portability, while aws-codedeploy-session-helper requires that Ruby and the AWS-SDK be installed.
  • While I [Devon] am a fan of Ruby, the versioning setup for the AWS-SDK means that when you may have coded something for v2 of the SDK, if v3 gets installed, everything will be broken.

Usage

  • All configuration options are taken via environment variables.
  • The use of environment variables is not always ideal, but it can simplify deployments in certain environments.

Environment Variables

AWS_DEFAULT_REGION

  • name: AWS_DEFAULT_REGION

  • alternate name: AWS_REGION

  • default: us-east-1

AWS_ACCESS_KEY_ID

  • name: AWS_ACCESS_KEY_ID

AWS_SECRET_ACCESS_KEY

  • name: AWS_SECRET_ACCESS_KEY

AWS_ROLE_ARN

  • name: AWS_ROLE_ARN
  • example: arn:aws:iam::xxxxxxxxxx:role/codedeploy-service

AWS_ROLE_SESSIONNAME

  • name: AWS_ROLE_SESSIONNAME
  • default: codedeploysess

AWS_EXTERNAL_ID

  • name: AWS_EXTERNAL_ID
  • default: get_sts_creds

AWS_STS_CREDENTIALS_FILE

  • name: AWS_STS_CREDENTIALS_FILE
  • default: /etc/codedeploy-agent/conf/awsStsCredentials.ini

Call via Cron

  • The credentials don't expire for 3 hours, so you do not need to regenerate the credentials too rapidly.
  • The easiest method of acquiring the credentials is using a cron job
0 * * * * COMMAND (AWS_DEFAULT_REGION="us-east-1" AWS_REGION="us-east-1" AWS_ACCESS_KEY_ID="AKIxxxxxxxxxxx" AWS_SECRET_ACCESS_KEY="xxxxxxxxxx" AWS_ROLE_ARN="arn:aws:iam::xxxxxxxxxx:role/codedeploy-service" AWS_ROLE_SESSIONNAME="codedeploysess" AWS_EXTERNAL_ID="getStsCreds" AWS_STS_CREDENTIALS_FILE="awsStsCredentials.ini" get_sts_creds 1>/dev/null 2>&1)

Examples

Example 1

export AWS_DEFAULT_REGION="us-east-1"
export AWS_REGION="us-east-1"
export AWS_ACCESS_KEY_ID="AKIxxxxxxxxxxx"
export AWS_SECRET_ACCESS_KEY="xxxxxxxxxx"
export AWS_ROLE_ARN="arn:aws:iam::xxxxxxxxxx:role/codedeploy-service"
export AWS_ROLE_SESSIONNAME="codedeploysess"
export AWS_EXTERNAL_ID="getStsCreds"
export AWS_STS_CREDENTIALS_FILE="awsStsCredentials.ini"

get_sts_creds

Example 2

AWS_DEFAULT_REGION="us-east-1" \
AWS_REGION="us-east-1" \
AWS_ACCESS_KEY_ID="AKIxxxxxxxxxxx" \
AWS_SECRET_ACCESS_KEY="xxxxxxxxxx" \
AWS_ROLE_ARN="arn:aws:iam::xxxxxxxxxx:role/codedeploy-service" \
AWS_ROLE_SESSIONNAME="codedeploysess" \
AWS_EXTERNAL_ID="getStsCreds" \
AWS_STS_CREDENTIALS_FILE="awsStsCredentials.ini" \
get_sts_creds

Example 3

AWS_DEFAULT_REGION="us-east-1" AWS_REGION="us-east-1" AWS_ACCESS_KEY_ID="AKIxxxxxxxxxxx" AWS_SECRET_ACCESS_KEY="xxxxxxxxxx" AWS_ROLE_ARN="arn:aws:iam::xxxxxxxxxx:role/codedeploy-service" AWS_ROLE_SESSIONNAME="codedeploysess" AWS_EXTERNAL_ID="getStsCreds" AWS_STS_CREDENTIALS_FILE="awsStsCredentials.ini" get_sts_creds

Example of the Geneated Credential File

[default]
aws_access_key_id     = ASIxxxxxxxxxxxxxx
aws_secret_access_key = xxxxxxxxxxxxxxxxx
aws_session_token     = 2RKPTFF4...HUBQ==
region                = us-east-1
output                = json

# these credentials expire 2018-02-23 21:37:02 +0000 UTC