coinbase/assume-role rewritten in Powershell
Table of contents:
Assume IAM roles through an AWS Bastion account with MFA via the command line.
AWS Bastion accounts store only IAM users providing a central, isolated account to manage their credentials and access. Trusting AWS accounts create IAM roles that the Bastion users can assume, to allow a single user access to multiple accounts resources. Under this setup, assume-role
makes it easier to follow the standard security practices of MFA and short lived credentials.
This is a almost 1:1 copy of coinbase/assume-role rewritten in Powershell. The SAML part of the original coinbase/assume-role isn't implemented at this time.
Before using assume-role make sure the following prerequisites have been met.
-
Windows PowerShell 5.x or PowerShell Core 6.0. You can get PowerShell Core 6.0 for Windows, Linux or macOS from here. Check your PowerShell version by executing
$PSVersionTable.PSVersion
. -
On Windows, script execution policy must be set to either
RemoteSigned
orUnrestricted
. Check the script execution policy setting by executingGet-ExecutionPolicy
. If the policy is not set to one of the two required values, run PowerShell as Administrator and executeSet-ExecutionPolicy RemoteSigned -Scope CurrentUser -Confirm
. -
Install the AWS Command Line Interface on Microsoft Windows on macOS on Linux
-
Add the AWS CLI Executable to your Command Line Path if
aws
isn't responding after installation Windows macOS Linux -
Create default profile with
aws configure
There are two variants.
-
clone this repository
-
cd
into the cloned directory -
run
./assume-role.ps1
-
Clone this repository.
-
Create your personal execution folder. For example:
C:\Users\<User>\bin
. (Or use your existing one) -
Copy or move assume-role.ps1 from step 1 to path from step 2.
-
Press the Windows key and type environment variables.
-
Choose Edit environment variables for your account.
-
Choose PATH and then choose Edit.
-
Add path from step 2 to the Variable value field
-
Choose OK twice to apply the new settings.
-
Close any running command prompts and re-open.
-
Open Powershell and run
assume-role
. Or opencmd.exe
and runpowershell assume-role
Assume-role can be executed with or without parameters.
Every Parameter is optional but you have to keep the order.
So if you want to set the role
parameter you also have to set account_name
.
Values neither set by you nor determined by assume-role will ask you for input.
Usage: assume-role [account_name] [role] [mfa_token] [aws-region]
account_name account id or alias
aliases stored in ~/.aws/accounts as JSON {"alias": account_id}
[default 'default']
role the role to assume into the account
[default 'read']
mfa_token The MFA token for the user
only valid if not using SAML for auth
aws_region region to assume into default set in ~/.aws/config
The script assumes you'd like to use your default aws profile defined with aws configure
.
If you want to use another profile, run the script like this $AWS_PROFILE_ASSUME_ROLE="profilename"; assume-role