CLI tool which enables you to login and retrieve AWS temporary credentials using with Assuming Role.
Check out the Release page for prebuild versions of aws-masquerade
for several different architectures.
cargo install aws-masquerade
aws-masquerade 0.2.0
sinofseven
AWS Assume Role CLI Tool
USAGE:
aws-masquerade [SUBCOMMAND]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
SUBCOMMANDS:
add add a account
assume exec assume role
config-path show path of config file
edit edit a account
help Prints this message or the help of the given subcommand(s)
list list accounts
remove remove a account
validate validate config
view view a account
To add a account to aws-masquerade just run the following command and follow the prompts.
$ aws-masquerade add
account name (required): account_name # account name (using for assumed profile name)
source profile name []: # source profile for assumimg role
role arn (required): arn:aws:iam::000000000000:role/target-role # target iam role arn for assumeing role
mfa arn []: arn:aws:iam::000000000000:mfa/user-name # virtual mfa device arn (if using mfa)
mfa secret []: SDI7UGDNQ5NURIUPBOWEUTHIDBIT6DRHR4WLWS7N7C3C6VS3LJKNWHL2JZIFIUYI # secret of virtual mfa device
Select Credential Output Type: # output format of assume role result
[0] SharedCredentials # adding to shared config
[1] bash # bash style. export AWS_ACCESS_KEY_ID="xxxxxxxxxxxx"
[2] fish # fish style. set -x AWS_ACCESS_KEY_ID "xxxxxxxxxxxx"
[3] PowerShell # PowerShell style. $env:AWS_ACCESS_KEY_ID="xxxxxxxxxxxx"
> [0]:
Select awscli output type: # the output from the AWS Command Line Interface (AWS CLI).
[0] json
[1] text
[2] table
> []:
Default Region Name []: ap-northeast-1 # set default region
Generated Account
{
"test": {
"sourceProfile": null,
"roleArn": "arn:aws:iam::148005307600:role/aws-initialize-stack/administrator",
"mfaArn": "arn:aws:iam::261267950596:mfa/yuta",
"mfaSecret": "SDI7UGDNQ5NURIUPBOWEUTHIDBIT6DRHR4WLWS7N7C3C6VS3LJKNWHL2JZIFIUYI",
"credentialOutput": "SharedCredentials",
"output": null,
"region": "ap-northeast-1"
}
}
Do you confirm add account? (y/n) [y]:
$ aws-masquerade assume --help
aws-masquerade-assume
exec assume role
USAGE:
aws-masquerade assume [OPTIONS] --account-name <account>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-a, --account-name <account> Name of the account
-c, --credential-output-target <assume_type>
Output Target [possible values: bash, fish, PowerShell, SharedCredentials]
-t, --mfa-token <token> Input Mfa Token
If you are using MFA, enter the MFA token optionally or interactively.
MFA tokens are automatically populated if you have registered MFA secrets.
The result of the Assume Role will be added to SharedConfig.
$ aws-masquerade assume -a account-name
export AWS_ACCESS_KEY_ID="XXXXXXXXXXXXXXXXXXXX"
export AWS_SECRET_ACCESS_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
export AWS_SESSION_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
export AWS_SECURITY_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# Run this to configure your shell:
# eval $(aws-masquerade assume -a account-name)
$ aws-masquerade assume -a account-name
set -gx AWS_ACCESS_KEY_ID "XXXXXXXXXXXXXXXXXXXX"
set -gx AWS_SECRET_ACCESS_KEY "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
set -gx AWS_SESSION_TOKEN "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
set -gx AWS_SECURITY_TOKEN "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# Run this to configure your shell:
# eval (aws-masquerade assume -a account-name)
$ aws-masquerade assume -a account-name
$env:AWS_ACCESS_KEY_ID="XXXXXXXXXXXXXXXXXXXX"
$env:AWS_SECRET_ACCESS_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$env:AWS_SESSION_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$env:AWS_SECURITY_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# Run this to configure your shell:
# aws-masquerade assume -a account-name | Invoke-Expression
$ aws-masquerade view --help
aws-masquerade-view
view a account
USAGE:
aws-masquerade view --account-name <account>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-a, --account-name <account> Name of the account
$ aws-masquerade -a account-name
{
"account-name": {
"sourceProfile": null,
"roleArn": "arn:aws:iam::000000000000:role/xxxxxxxxxxx",
"mfaArn": "arn:aws:iam::000000000000:mfa/xxxxxxxxxxx",
"mfaSecret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"credentialOutput": "SharedCredentials",
"output": null,
"region": "ap-northeast-1"
}
}
$ aws-masquerade list
account-001
account-002
account-003
$ aws-masquerade edit --help
aws-masquerade-edit
edit a account
USAGE:
aws-masquerade edit --account-name <account>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-a, --account-name <account> Name of the account
egit prompt is almost as same as add prompt.
$ aws-masquerade remove --help
aws-masquerade-remove
remove a account
USAGE:
aws-masquerade remove --account-name <account>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-a, --account-name <account> Name of the account
$ aws-masquerade config-path
/home/codespace/.config/aws-masquerade/config.json
aws-masquerade validate