Skip to content
/ vegas-credentials Public

AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOTP MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

credentials.vegas/

License

Apache-2.0 license
22 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

aripalo/vegas-credentials

BranchesTags

Repository files navigation

🚧 Work-in-Progress 🚀 ⁉️ Publish Plan
Since version v0.13.x this tool is considered "mostly stable": Breaking changes may occur if really needed but not arbitrarily. I'm hoping to release v1.0.0 during H2/2022. No commitments though!

Vegas Credentials

Much like spending a week in Las Vegas at AWS re:Invent, using multiple AWS tools (SDKs, CLI, CDK, Terraform, etc) via command-line to assume IAM roles in different accounts with Multi-Factor Authentication can be an exhausting experience: vegas-credentials aims to simplify the credential process! And just like you shouldn't stay too long in Las Vegas at once, this tool only deals with temporary sesssion credentials.

Vegas Credentials is an utility with smooth user experience that plugs into AWS credential_process to assume IAM Roles with TOTP MFA (with optional Yubikey Touch support) to fetch, cache and refresh assumed temporary session credentials.


build Coverage Maintainability Rating Security Rating Vulnerabilities


Docs

For guides, examples and full documentation, go to https://credentials.vegas.


Install

Via Homebrew on MacOS, GNU/Linux and Windows Subsystem for Linux (WSL):

brew install aripalo/tap/vegas-credentials

Via Scoop on Windows:

scoop bucket add aripalo https://github.com/aripalo/scoops.git && scoop install vegas-credentials

Configure

  1. Configure your source profile and its credentials, most often it's the default one which you configure into ~/.aws/credentials:

    # ~/.aws/credentials
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

  2. Configure your source profile in config:

    # ~/.aws/config
[default]
mfa_serial = arn:aws:iam::111111111111:mfa/FrankSinatra

    Note: if your source profile is not default, remember to add profile as prefix (profile foo)

  3. Configure your target profile with credential_process into ~/.aws/config:

    # ~/.aws/config
[profile frank@concerts]
credential_process = vegas-credentials assume --profile=frank@concerts
vegas_role_arn=arn:aws:iam::222222222222:role/SingerRole
vegas_source_profile=default

# You may also provide any other additional standard AWS configuration, such as:
region = us-west-1
duration_seconds = 4383
role_session_name = SinatraAtTheSands
external_id = 0093624694724

    Note: role_arn & source_profile must be prefixed with vegas_ to prevent AWS tooling to ignore credential_process setting and to prevent Terraform failing.

  4. Use any AWS tooling that support ini-based configuration with credential_process, like AWS CLI v2:

    aws sts get-caller-identity --profile frank@concerts

About

AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOTP MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

credentials.vegas/

Topics

aws security iam yubikey amazon-web-services mfa credential-provider multifactor-authentication ykman credential-helper credential-process

Resources

Readme

License

Apache-2.0 license
Activity

Stars

22 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases 49

v0.14.4 Latest
Sep 17, 2022
+ 48 releases

Contributors 4

  •  
  •  
  •  
  •  

Languages