Hi! Today just a short technical post I wanted to share with you. I keep it as simple as possible as my „strong“ hand is fixated in a plaster cast since 3 weeks ago and typing is hard and exhausting.
Anyway, we host most of our projects in Amazon AWS. For most customers we create an „own“ AWS account instead of running their projects, code and intellectual property on our AWS account. Our admin account is then granted full administrational access via IAM policy to the customers account.
This works fine so far, but complicates the use of the AWS command line interface, as you don’t have „direct“ access to the different accounts. You could then create an user in every customer account and use this credentials als profile info in the aws-cli configuration. But why should you? Our admin account already has full access, no need for another account and set of credentials.
So to simplify my awscli workflow I wrote a little helper script in bash which uses the „assume role“ functionality of the cli toolset. With this function you use your admin credentials to create a temporary access to the account which gets deleted after a period of time. To use this function you need the ARN of your admin resource in the target account and you receive the access credentials as a JSON response. Something that is not easy to memorize and can be time consuming. To make it fast, I put all the „mechanics“ in my script, which uses the awscli (pretty obvious) and the (quite handy) JSON parser „jq“ (a tool I don’t want to miss anymore).
The usage of the script is as follows:
assume-role „name of target account“ „the command you want to execute, be it awscli, packer, terraform etc“
Depending on which account you chose as your target account, the script uses the correct ARN, parses the JSON response, sets the according variables for the AWS access key, secret and session token and then executes the rest of the command as you provide.
You can also use the script with accounts with 2 Factor Authentication. You just have to configure the correct ARN of your device and tell the script to ask for a valid MFA code.
So, enough talking, my arm is getting numb, I just drop the script here.
(attention, I have multiple accounts configured in my AWS config, so the script uses the „profile“ option of awscli. If you just have one profile, just delete this part)
I think the script is pretty self explanatory, no rocket science behind all this, but very helpful for our setup and my cli workflow.