11# setup-new-aws-user
22
3- This script creates a virtual MFA device and rotates access keys for a new AWS user.
3+ This tool is used to grant programmatic access to AWS account(s) that aren't
4+ backed by SAML federation or SSO. It works by taking a temporary set of AWS
5+ access keys for a new IAM user. It then generates a virtual MFA device and permanent
6+ set of access keys. Finally, it removes the temporary access keys.
47
58## Installation
69
7- For OSX Homebrew:
10+ For Mac OS Homebrew:
811
912``` shell
1013brew tap trussworks/tap
@@ -13,63 +16,53 @@ brew install setup-new-aws-user
1316
1417## Usage
1518
16- The script accepts a number of arguments, either as environment variables or
17- command-line flags:
18-
19- ``` text
20- Usage:
21- main [OPTIONS]
22- Application Options:
23- --region= The AWS region (default: us-west-2) [$AWS_REGION]
24- --account-id= The AWS account number [$AWS_ACCOUNT_ID]
25- --profile= The AWS profile name [$AWS_PROFILE]
26- --iam-user= The IAM user name
27- --role= The user role type
28- --output= The AWS CLI output format (default: json)
29- Help Options:
30- -h, --help Show this help message
31- ```
19+ ### Prerequisites
20+
21+ Before running this tool, you will need to following pieces of information
22+
23+ * IAM role - This is the IAM Role with permissions allowing access to AWS APIs
24+ and services. This is usually something like ` admin ` or ` engineer ` .
25+ * IAM user name - This is your IAM username.
26+ * AWS profile - This is the name that populates your ` ~/.aws/config ` profile
27+ name. It is usually the name of the aws account alias you are trying to access.
28+ * AWS account Id - This is the 12-digit account number of the AWS account you
29+ are trying to access.
30+ * Temporary AWS access keys - These should be given to you by an administrator
31+ of the AWS account you are trying to access. The tool will prompt you for
32+ the access key id and secret access key.
3233
33- For the arguments that accept either an environment variable or command-line
34- flag, the environment variable takes precedence if both are provided due to the
35- way go-flags works.
36-
37- ### Setup new IAM user
38-
39- 1 . Have admin user run through
40- [ these instructions] ( https://github.com/trussworks/legendary-waddle/blob/master/docs/how-to/setup-new-user.md#existing-admin-user-does-this )
41- in legendary-waddle repo to generate access keys.
42- 1 . Set ` AWS_ACCOUNT_ID ` and ` AWS_PROFILE ` variables in one of three ways:
43- - Save to an .envrc.local file
44- - Set them as local environment variables on your terminal, or
45- - Pass them through as flags when you run this script
46- (i.e.
47- ` go run cmd/main.go --role <ROLE> --iam-user <USER> --profile=<AWS_PROFILE> --account-id=<AWS_ACCOUNT_ID> ` )
48- 1 . Run the setup-new-user script: ` go run cmd/main.go --role <ROLE> --iam_user <USER> `
49- 1 . Enter the access keys generated when prompted.
50- 1 . The script will display a QR code for an MFA device at some point.
51- Create an entry in your 1Password account with a One Time Password (OTP)
34+ ## Running the tool
35+
36+ 1 . Run the setup-new-user - ` setup-new-aws-user --role <IAM_ROLE> --iam_user <USER> --profile=<AWS_PROFILE> --account-id=<AWS_ACCOUNT_ID> `
37+ 2 . Enter the access keys generated when prompted.
38+ 3 . The script will display a QR code for an MFA device at some point.
39+ 4 . Create an entry in your 1Password account with a One Time Password (OTP)
5240field and be ready to scan it with the 1Password app.
53- Currently works only with mobile app.
5441
55- - ** NOTE** You will be asked for your MFA (TOTP) tokens three times while
42+ ** NOTE** You will be asked for your MFA (TOTP) tokens three times while
5643validating the new virtual MFA device and rotating your access keys.
5744** Take care not to use the same token
5845more than once** , as this will cause the process to fail.
5946
60- ## Dev setup
47+ ## Development setup
6148
62- 1 . First, install these packages:
63- - ` brew install pre-commit `
64- - ` brew install direnv `
65- 1 . Next, clone the project repository.
66- 1 . Finally, run these commands inside the local repo:
67- - ` pre-commit install --install-hooks `
68- - ` direnv allow `
69- 1 . The ` .envrc ` will be loaded if ` direnv ` is installed.
49+ 1 . First, install these packages: ` brew install pre-commit direnv go `
50+ 2 . Next, clone the project repository.
51+ 3 . Finally, run these commands inside the local repo: ` direnv allow `
52+ 4 . The ` .envrc ` will be loaded if ` direnv ` is installed.
7053
7154### Testing
7255
56+ #### Unit Tests
57+
58+ Run pre-commit and Go tests
59+
60+ ``` shell
61+ make test
62+ ```
63+
64+ #### Integration / End 2 End Testing
65+
7366For testing, create a test IAM user so as not to interfere with your primary
7467user credentials and AWS config settings. The test user will need the
7568` enforce-mfa ` policy and permission to assume whichever role being assigned.
0 commit comments