You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+17-9Lines changed: 17 additions & 9 deletions
Original file line number
Diff line number
Diff line change
@@ -27,20 +27,22 @@ brew cask install aws-vault
27
27
28
28
Before running this tool, you will need to following pieces of information
29
29
30
-
* IAM role - This is the IAM Role with permissions allowing access to AWS APIs
31
-
and services. This is usually something like `admin` or `engineer`.
32
-
* IAM user name - This is your IAM username.
30
+
* IAM role name - This is the IAM Role with permissions allowing access to AWS APIs
31
+
and services. This is usually something like `admin` or `engineer`. Use the flag
32
+
`--iam-role` with this value.
33
+
* IAM user name - This is your IAM username. Use the flag `--iam-user` with this value.
33
34
* AWS profile - This is the name that populates your `~/.aws/config` profile
34
35
name. It is usually the name of the aws account alias you are trying to access.
36
+
Use the flag name `--aws-profile` with this value.
35
37
* AWS account Id - This is the 12-digit account number of the AWS account you
36
-
are trying to access.
38
+
are trying to access. Use the flag `--aws-account-id` with this value.
37
39
* Temporary AWS access keys - These should be given to you by an administrator
38
40
of the AWS account you are trying to access. The tool will prompt you for
39
41
the access key id and secret access key.
40
42
41
43
## Running the tool
42
44
43
-
1. Run the setup-new-user - `setup-new-aws-user setup --iam-role <IAM_ROLE> --iam-user <USER> --profile=<AWS_PROFILE> --account-id=<AWS_ACCOUNT_ID>`
45
+
1. Run the setup-new-user script - `setup-new-aws-user setup --iam-role <IAM_ROLE> --iam-user <USER> --aws-profile=<AWS_PROFILE> --aws-account-id=<AWS_ACCOUNT_ID>`
44
46
2. Enter the access keys generated when prompted.
45
47
3. The script will open a window with a QR code, which you will use to configure a temporary one time password (TOTP).
46
48
4. You'll then need to create a new entry in your 1Password account configure it with a TOTP field.
@@ -49,13 +51,18 @@ Before running this tool, you will need to following pieces of information
49
51
7. Once the tool has completed, you should be able to access the AWS account. You can run the following command filling in the AWS_PROFILE value
50
52
51
53
```shell
52
-
aws-vault exec AWS_PROFILE -- aws sts get-session
54
+
aws-vault exec$AWS_PROFILE -- aws sts get-session
53
55
```
54
56
55
57
## How this tool modifies your ~/.aws/config
56
58
57
-
While your AWS access keys are stored in a password protected keychain managed by `aws-vault`, the configuration for how you should access AWS accounts lives in ~/.aws/config. The setup-new-aws-user tool creates two profiles your `~/.aws/config`. The first is the base profile containing your long lived AWS Access Keys and is tied to your IAM user and MFA device. Since these keys are long lived, you should be rotating them regularly with `aws-vault rotate`. The second profile is the IAM role granting you elevated access to the AWS account. Typically these IAM roles are named `admin` or `engineer` and only uses temporary credentials leveraging AWS's Security Token Service (STS). Below is an example config generated from this tool.
58
-
59
+
While your AWS access keys are stored in a password protected keychain managed by `aws-vault`, the configuration for
60
+
how you should access AWS accounts lives in ~/.aws/config. The setup-new-aws-user tool creates two profiles your
61
+
`~/.aws/config`. The first is the base profile containing your long lived AWS Access Keys and is tied to your IAM user
62
+
and MFA device. Since these keys are long lived, you should be rotating them regularly with `aws-vault rotate`.
63
+
The second profile is the IAM role granting you elevated access to the AWS account. Typically these IAM roles are
64
+
named `admin` or `engineer` and only uses temporary credentials leveraging AWS's Security Token Service (STS).
65
+
Below is an example config generated from this tool.
59
66
60
67
```ini
61
68
[profile corp-id-base]
@@ -85,6 +92,7 @@ output=json
85
92
Run pre-commit and Go tests
86
93
87
94
```shell
95
+
pre-commit run -a
88
96
make test
89
97
```
90
98
@@ -101,7 +109,7 @@ use the real AWS account ID.
101
109
Example:
102
110
103
111
```shell
104
-
go run cmd/main.go setup --iam-role engineer --iam-user testuser --account-id 123456789012 --profile test-profile-name
112
+
go run cmd/main.go setup --iam-role engineer --iam-user testuser --aws-profile test-profile-name --aws-account-id 123456789012
105
113
```
106
114
107
115
After running the script, try a command to ensure the new profile works as
0 commit comments