Assume IAM roles through an AWS Bastion account with MFA via the command line.
AWS Bastion accounts store only IAM users providing a central, isolated account to manage their credentials and access. Trusting AWS accounts create IAM roles that the Bastion users can assume, to allow a single user access to multiple accounts resources. Under this setup, assume-role makes it easier to follow the standard security practices of MFA and short lived credentials.
assume-role requires jq and aws CLI tools to be installed.
-
Clone Repository
-
For easier updates create a symlink from your repository
assume-roleorassume-role-oktafile to/usr/local/bin/<assume-role>Example
ln -s <Git-Repository>/assume-role-okta /usr/local/bin/assume-role-okta
-
Add execution permissions
chmod +x <Git-Repository>/assume-role-okta
Make sure that credentials for your AWS bastion account are stored in ~/.aws/credentials.
Out of the box you can call assume-role like:
eval $(assume-role account-id role mfa-token)If your shell supports bash functions (e.g. zsh) then you can add source $(which assume-role) to your rc file (e.g. ~/.zshrc), then you can call assume-role like:
If you want to have a autocompleter for the accounts from your aws-config add the following at the beginning of your .zshrc file:
Copy/link zsh function
ln -s <Git-Repository>/_assume_role ~/zsh_functions/_assume_rolefpath=(~/zsh_functions $fpath)
autoload -U compinit
compinitIf you are using oh-my-zsh, a nice way to integrate this into the powerline segments (the relevant one being the custom_assume_role, the other segmenst are merely an example) would be to do the following:
- Follow general assume-role instructions
- Setup oh-my-zsh normally
- Install Powerlevel10k Theme (https://github.com/romkatv/powerlevel10k#oh-my-zsh)
- Configure p10k (https://github.com/romkatv/powerlevel10k#get-started)
p10k configure- Add the following to your .zshrc
source $(which assume-role)
export POWERLEVEL9K_LEFT_PROMPT_ELEMENTS=(root_indicator context dir dir_writable rbenv chruby nodeenv pyenv aws custom_assume_role vcs)
export POWERLEVEL9K_RIGHT_PROMPT_ELEMENTS=(status command_execution_time background_jobs detect_virt disk_usage load ram time)
export POWERLEVEL9K_CUSTOM_ASSUME_ROLE="echo \$AWS_ACCOUNT_NAME"
export POWERLEVEL9K_CUSTOM_ASSUME_ROLE_FOREGROUND="black"
export POWERLEVEL9K_CUSTOM_ASSUME_ROLE_BACKGROUND="yellow"
ZSH_THEME="powerlevel9k/powerlevel9k"For bash you could put the following in your .bash_profile file:
source $(which assume-role)
function aws_account_info {
[ "$AWS_ACCOUNT_NAME" ] && [ "$AWS_ACCOUNT_ROLE" ] && echo -n "aws:($AWS_ACCOUNT_NAME:$AWS_ACCOUNT_ROLE) "
}
PROMPT_COMMAND='aws_account_info'You have to install ykman for your distribution
If you want to use your YubiKey as MFA, there is the feature to use the oath Feature of Yubikey:
You have to add your MFA Hash to oath:
ykman oath add -t NameOfYourChoice <YOUR_BASE_32_KEY>After that you can add the following ENV Variable to your profile:
export YUBIKEY_MFA="NameOfYourChoice"Now, when assume-role needs a MFA it will ask you to Touch your YubiKey