awsdo is a tool to do anything using AWS temporary credentials.
awsdo does anything with temporary credentials generated using aws sts get-session-token and aws sts assume-role.
$ AWS_PROFILE=myaws awsdo -- terraform apply
Enter MFA code for arn:aws:iam::111111111111:mfa/k1low: 123456
[...]When awsdo is executed with no arguments, awsdo outputs shell script to export AWS credentials environment variables like aswrap.
$ AWS_PROFILE=myaws awsdo
Enter MFA code for arn:aws:iam::111111111111:mfa/k1low: 123456
export AWS_REGION=ap-northeast-1
export AWS_ACCESS_KEY_ID=XXXXXXXXXXXXXXXX
export AWS_SECRET_ACCESS_KEY=vl/Zv5hGxdy1DPh7IfpYwP/YKU8J6645...
export AWS_SESSION_TOKEN=FwoGZXIYXdGUaFij9VStcW9fcbuKCKGAWjLxF/3hXgGSoemniFV...If you want to set credentials in a current shell by eval, you can use --token-code to set the MFA token code.
$ eval "$(awsdo --profile myaws --token-code 123456)"Login to the AWS management console from a terminal using generaged login link by awsdo.
$ AWS_PROFILE=myaws awsdo --loginiam:ListMFADevicessts:AssumeRolests:GetSessionToken
- Load
~/.aws/credentialsand~/.aws/config. - Get temporary credentials.
- If
--role-arnis set,awsdotries to assume role (sts:AssumeRole).awsdotries to get the MFA device serial number (iam:ListMFADevices).- If
awsdoget MFA device serial number, it uses multi-factor authentication. - Get temporary credentials.
- If the section has
role_arn,awsdotries to assume role (sts:AssumeRole).- Find profile ( section of
AWS_PROFILEor--profile). - If the section does not have
mfa_serial,awsdotries to get the MFA device serial number (iam:ListMFADevices). - If
awsdoget MFA device serial number, it uses multi-factor authentication. - Get temporary credentials.
- Find profile ( section of
- Else,
awsdotry to get session token (sts:getSessionToken).- Find profile ( section of
AWS_PROFILEor--profile). - If the section does not have
mfa_serial,awsdotries to get the MFA device serial number (iam:ListMFADevices). - If
awsdoget MFA device serial number, it uses multi-factor authentication. - Get temporary credentials.
- Find profile ( section of
- If
- Set the temporary credentials to environment variables and execute command or export environment variables.
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_SESSION_TOKENAWS_REGION
name: AWS example workflow
on:
push
permissions:
id-token: write
contents: read
jobs:
assumeRole:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT }}:role/example-role
aws-region: ${{ secrets.AWS_REGION }}
- name: Run as ${{ secrets.AWS_ACCOUNT }}
run: |
aws sts get-caller-identity
- name: Setup awsdo
run: |
export AWSDO_VERSION=X.X.X
curl -L https://git.io/dpkg-i-from-url | bash -s -- https://github.com/k1LoW/awsdo/releases/download/v$AWSDO_VERSION/awsdo_$AWSDO_VERSION-1_amd64.deb
- name: Run as ${{ secrets.AWS_ANOTHER_ACCOUNT }} using awsdo
run: |
awsdo --role-arn=arn:aws:iam::${{ secrets.AWS_ANOTHER_ACCOUNT }}:role/another-example-role -- aws sts get-caller-identitydeb:
$ export AWSDO_VERSION=X.X.X
$ curl -o awsdo.deb -L https://github.com/k1LoW/awsdo/releases/download/v$AWSDO_VERSION/awsdo_$AWSDO_VERSION-1_amd64.deb
$ dpkg -i awsdo.debRPM:
$ export AWSDO_VERSION=X.X.X
$ yum install https://github.com/k1LoW/awsdo/releases/download/v$AWSDO_VERSION/awsdo_$AWSDO_VERSION-1_amd64.rpmhomebrew tap:
$ brew install k1LoW/tap/awsdoaqua:
$ aqua g -i k1LoW/awsdomanually:
Download binary from releases page
go install:
$ go install github.com/k1LoW/awsdo@latest