This provides assume-role
command to generate AWS temporary security credentials.
$ cargo binstall aws-assume-role-rs
or
$ cargo install aws-assume-role-rs
$ assume-role --help
A command line tool to generate AWS temporary security credentials.
Usage: assume-role [OPTIONS] <--totp-secret <TOTP_SECRET>|--totp-code <TOTP_CODE>> [ARGS]...
Arguments:
[ARGS]... Commands to execute
Options:
--aws-profile <AWS_PROFILE> AWS profile name in AWS_CONFIG_FILE. This option is used to detect jump account information [env: AWS_PROFILE=]
-p, --profile-name <PROFILE_NAME> The profile name
-r, --role-arn <ROLE_ARN> The IAM Role ARN to assume [env: ROLE_ARN=]
-c, --config <CONFIG> The config file. default: $HOME/.aws/config.toml
Load the first of the following files found:
1. the file specified by this option
2. $HOME/.aws/config.toml
3. $HOME/.aws/config
-d, --duration <DURATION> The duration in seconds of the role session. (900-43200)
The following suffixes are available:
"s": seconds
"m": minutes
"h": hours
No suffix means seconds. [default: 1h]
-n, --serial-number <SERIAL_NUMBER> MFA device ARN such as arn:aws:iam::123456789012/mfa/user [env: SERIAL_NUMBER=]
-s, --totp-secret <TOTP_SECRET> The base32 format TOTP secret [env: TOTP_SECRET=]
-t, --totp-code <TOTP_CODE> The TOTP code generated by other tool [env: TOTP_CODE=]
-f, --format <FORMAT> Output format [possible values: json, bash, zsh, fish, power-shell]
-v, --verbose Print verbose logs
-h, --help Print help
-V, --version Print version
--role-arn
option- Find by
--profile-name
option from a configuration file - Select role ARN from a list loaded from a configuration file in an interactive UI
--config
option$HOME/.aws/config.toml
$HOME/.aws/config
Such as AWS credentials, serial number, and, TOTP secrets.
- Environment variables (
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
,SERIAL_NUMBER
,TOTP_SECRET
) - INI format file specified by
--config
option and--aws-profile
option - Load credentials according to aws_config's default rule
Create $HOME/.aws/config.toml:
[profile.test]
role_arn = "arn:aws:iam::123456789012:role/Developer"
[profile.test-admin]
role_arn = "arn:aws:iam::123456789012:role/PowerUserRole"
[profile.production-viewer]
role_arn = "arn:aws:iam::123456789876:role/Viewer"
[profile.production-maintainer]
role_arn = "arn:aws:iam::123456789876:role/Maintainer"
The TOML format only supports sections with the key role_arn.
or create $HOME/.aws/config:
[profile jump]
region = ap-northeast-1
serial_number = arn:aws:iam::987654321234:mfa/serialnumber
[profile jump2]
region = ap-northeast-1
[profile test]
role_arn = arn:aws:iam::123456789012:role/Developer
[profile test-admin]
role_arn = arn:aws:iam::123456789012:role/PowerUserRole
[profile production-viewer]
role_arn = arn:aws:iam::123456789876:role/Viewer
[profile production-maintainer]
role_arn = arn:aws:iam::123456789876:role/Maintainer
The INI file format ignores all sections that do not have property role_arn
to find role_arn
.
Set environment variables SERIAL_NUMBER
and TOTP_SECRET
.
Or, you can set --serial-number
and --totp-secret
.
You can select the profile interactively in your configuration file.
$ env AWS_PROFILE=jump SERIAL_NUMBER="..." TOTP_SECRET="..." assume-role aws s3 ls
# same as the avobe using command line options
$ env AWS_PROFILE=jump assume-role --serial-number "..." --totp-secret "..." aws s3 ls
You can set TOTP_CODE
generated by other tool via command line option (--totp-code
) or environment variable (TOTP_CODE
) instead of TOTP_SECRET
.
$ env AWS_PROFILE=jump SERIAL_NUMBER="..." TOTP_CODE="..." assume-role aws s3 ls
# same as the avobe using command line options
$ env AWS_PROIFLE=jump assume-role --serial-number="..." --totp-code="..." assume-role aws s3 ls
You can use --profile
option to specify role ARN.
$ AWS_PROFILE=jump assume-role --profile-name test --totp-secret "..." aws s3 ls
or
$ assume-role --aws-profile=jump --profile-name=test --totp-code=123456 aws s3 ls
You can use --role-arn
option to specify role ARN directly.
$ AWS_PROFILE=jump2 assume-role --role-arn arn:aws:iam::123456789012:role/Developer --serial-number "..." --totp-secret "..." aws s3 ls
Your can use this assume-role command with sorah/envchain or okkez/envchain-rs.
Store secrets in secret service or keychain.
$ envchain --set jump AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_REGION SERIAL_NUMBER TOTP_SECRET
# ... input secret values
$ envchain jump assume-role -p test-admin aws s3 ls
You can set environment variables.
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
AWS_EXPIRATION
eval $(envchain jump -p test-admin --format bash)
eval $(envchain jump -p test-admin --format zsh)
eval (envchain jump -p test-admin --format fish)
MIT License