
A few helpful AWS tools written in Go

   awstools [global options] command [command options] [arguments...]


     assume                      assume role on a specified account
     accounts                    print known accounts
     ec2                         print EC2 instances and ELBs
     cloudformation, cf          print CloudFormation stacks information
     rotate-main-account-key, r  create a new access key for main account and delete the current one
     dynamodb, ddb               dynamodb commands
     kms                         encrypt/decrypt text
     kinesis                     print records from kinesis streams
     cloudwatch, cw              search in cloudwatch logs
     help, h                     Shows a list of commands or help for one command

   --config value, -c value  path to config.toml file (default: ~/.config/awstools/config.toml)
   --no-color                turn off color output
   --help, -h                show help
   --version, -v             print the version


Consider also awscredx if you are mostly interested in role assumption.


We provide binaries for all releases through GitHub. The latest release is 0.13.2.

To install awstools choose the binary for your architecture (either OSX or Linux), run a download and use chmod to make it executable.


On Mac you can use Homebrew to install the binary:

$ brew tap sam701/awstools
$ brew install awstools


$ curl -o awstools -SsL https://github.com/sam701/awstools/releases/download/0.13.2/awstools_linux_amd64
$ chmod +x awstools


Export reqired environment variables:

export GOPATH=$HOME/goprojects
export PATH=$PATH:$GOPATH/bin

Install awstools:

go get -u github.com/sam701/awstools


The default path to the configuration file is $HOME/.config/awstools/config.toml.

Here is an example of a config.toml:

defaultRegion = "eu-west-1"
defaultKmsKey = "arn:aws:kms:eu-west-1:000000000001:key/00000000-1111-1111-2222-333333333333"

# Rotate the main account access key every week
keyRotationIntervalMinutes = 10080

# Reuse current credentials, if they are valid for at least 10 minutes.
reuseCredentialsIfValidForMinutes = 10

mainAccount = "main_account"
mainAccountMfaSession = "main_account_mfa_session"

main = "000000000001"
dev = "000000000002"
prod = "000000000003"
  • profiles section contains profile names that will be saved in $HOME/.aws/credentials.
  • accounts section contains account ids and its names.

Add to your .bash_profile

	awstools assume --export $tmpFile --export-profile $@ && source $tmpFile
	rm $tmpFile

or to your ~/.config/fish/config.fish

function aws_assume
	set tmp /tmp/aws_assume.tmp
	awstools assume --export $tmp --export-profile $argv; and source $tmp
	rm $tmp

--export-profile flag tells awstools to print only AWS_PROFILE instead of printing AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN variables. This will become the default behavior later.

Now in order to assume a role on a subaccount, you can run something like this

aws_assume AccountName MyRoleOnSubAccount

Required IAM permissions


For assuming a role in another account awstools needs the following permissions:

  • iam:GetUser
  • iam:ListAccessKeys

Note: awstools is using the MFA authenticated sessions for operations on your AWS access key.

Access Key Rotation

For rotating access keys on the relevant account awstools needs the following permissions:

  • iam:GetUser
  • iam:CreateAccessKey
  • iam:DeleteAccessKey
  • iam:ListAccessKeys
  • iam:UpdateAccessKey

Note: awstools is using the MFA authenticated sessions for operations on your AWS access key.


