This package provides tools for AWS platform, such as:
- switching between multiple accounts
- renewing API access keys
and others.
The main reason why aws-tools came to be, was using awscli with different access keys in the secure and easy way.
Switching between AWS accounts:
$ awsenv test <test> $ aws s3 ls ...list of S3 objects on TEST environment... ### Explanation: ### <test> $ env | grep AWS ### AWS_SECRET_ACCESS_KEY=w0bM0rucARITPOUpcyAaX3iI9lGjJo7g8UUCUxIv ### AWS_ACCESS_KEY_ID=AKIAJPVK7VGH6CBZT5EQ ### AWS_ENV=test <test> $ awsenv prod <prod> $ aws s3 ls ...list of S3 objects on PROD environment... ### Explanation: ### <prod> $ env | grep AWS ### AWS_SECRET_ACCESS_KEY=P8crbSIvQ/Au0jfnW8XER9eJKxpQdYqpRVz5QxKo ### AWS_ACCESS_KEY_ID=AKIAJ4F26CMBPI1HF7MQ ### AWS_ENV=prod
Renewing AWS API access keys:
$ awsenv prod ### Explanation: ### <prod> $ env | grep AWS ### AWS_SECRET_ACCESS_KEY=P8crbSIvQ/Au0jfnW8XER9eJKxpQdYqpRVz5QxKo ### AWS_ACCESS_KEY_ID=AKIAJ4F26CMBPI1HF7MQ ### AWS_ENV=prod <prod> $ awsroll prod Rolled key for env prod: AccessKeyId=****************ZKQFQ; CreateDate=2018-11-14 13:10:04+00:00 <prod> $ awsenv prod ### Explanation: ### <prod> $ env | grep AWS ### AWS_SECRET_ACCESS_KEY=napb9J2RKzsSiTIjLRavN09qIfFzrMo7846zr2ou ### AWS_ACCESS_KEY_ID=AKIAJTGB6EFV7F4ZKQFQ ### AWS_ENV=prod
Prerequisites:
aws-tools requires gpg (version >= 2.X) to decrypt/encrypt your AWS credentials.
Install necessary packages, and generate a new key pair:
$ sudo apt-get install gpg gpg-agent $ gpg --gen-key
This document covers only gpg commands required to run aws-tools! If you need to use other gpg parameters, go to gpg documentation.
Configure your region using awscli if you haven't done that yet:
$ aws configure AWS Access Key ID [None]: AWS Secret Access Key [None]: Default region name [None]: eu-west-1 Default output format [None]:
Do not provide any keys here!
Simply run:
$ pip install --user aws-tools
In ~/.aws directory create temporary env.<environment>.conf file
for each AWS environment.
For example, if you have 3 AWS environments: TEST, STAGE and PROD, there
should be 3 config files in ~/.aws directory:
env.test.conf env.stage.conf env.prod.conf
Edit each file:
[default]
aws_access_key_id = <your_environment_specific_access_key_id>
aws_secret_access_key = <your_environment_specific_secret_access_key>Encrypt each file with gpg:
$ gpg --encrypt --armor --output env.<environment>.conf.asc -r <your-gpg-user-id-name> env.<environment>.conf
and remove temporary env.*.conf files!
Rungpg -Kto find out what is your<your-gpg-user-id-name>
aws-tools comes with handy command completion and bash prompt features.
Simply add to your ~/.bashrc:
source $HOME/.local/bin/aws_tools_completion.bash 2>/dev/null
export PS1="\$(__awsenv_ps1 2>/dev/null)${PS1}"This step is helpful if you want to send renewed AWS access keys to an email.
In ~/.aws directory create temporary smtp.cfg file.
Edit smtp settings:
smtplogin = <your_full_smtp_login>
smtppass = <your_password>
smtphost = <smtp_host>
smtpport = <smtp_port>Encrypt config file with gpg:
$ gpg --encrypt --armor --output smtp.cfg.asc -r <your-gpg-user-id-name> smtp.cfg
and remove temporary smtp.cfg file!
Autocompletion:
$ awsenv<TAB><TAB> prod stage test
Use TEST access keys:
$ awsenv test
Unset AWS access keys for current shell:
$ awsenv unset
Rotate PROD access keys:
$ awsroll prod
Rotate access keys for all environments:
$ awsroll
Rotate access keys for all environments using gpg agent, and send them to the email:
$ aws-roll-keys.py -a -e all -s <email@domain.org>
Rotate access keys for TEST environment and send info to the email:
$ aws-roll-keys.py -e test -i <email@domain.org>