Awesome
AWS credential profile changer
Excerpt from IAM Best Practices:
Delegate by using roles instead of by sharing credentials
You might need to allow users from another AWS account to access resources in your AWS account. If so, don't share security credentials, such as access keys, between accounts. Instead, use IAM roles. You can define a role that specifies what permissions the IAM users in the other account are allowed, and from which AWS accounts the IAM users are allowed to assume the role.
To make process of switching profiles (environment variables AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
among others) it is handy to use the code provided on this repo.
Features
- Autocomplete of available profiles (
awsp + tab + tab
) - Support configurable location of credentials file (
AWS_SHARED_CREDENTIALS_FILE
environment variable) - Full compatibility with official AWS CLI
- Assume roles which require MFA
- Integration with aws-vault to prevent secrets from storing in plain-text
Install
- jq should be installed
- Download awsp_functions.sh anywhere you like (for example,
~/awsp_functions.sh
) and make it executable:
$ wget -O ~/awsp_functions.sh https://raw.githubusercontent.com/antonbabenko/awsp/master/awsp_functions.sh
$ chmod +x ~/awsp_functions.sh
- Depending on which version of shell you use, edit
~/.bash_profile
or similar to include:source ~/awsp_functions.sh
- (Optional) Enable aliases and auto-completion into your
~/.bash_profile
or similar:
alias awsall="_awsListProfile"
alias awsp="_awsSetProfile"
alias awswho="aws configure list"
complete -W "$(cat $HOME/.aws/credentials | grep -Eo '\[.*\]' | tr -d '[]')" _awsSwitchProfile
complete -W "$(cat $HOME/.aws/config | grep -Eo '\[.*\]' | tr -d '[]' | cut -d " " -f 2)" _awsSetProfile
Examples
Content of ~/.aws/config
:
[company-anton]
aws_access_key_id=EXAMPLEACCESSKEY
aws_secret_access_key=EXAMPLESECRETACCESSKEY
[company-staging-anton]
role_arn=arn:aws:iam::222222222222:role/company-staging
source_profile=company-anton
[company-production-anton]
role_arn=arn:aws:iam::111111111111:role/company-production
source_profile=company-anton
mfa_serial=arn:aws:iam::333333333333:mfa/anton
To change AWS profile to use staging account (222222222222):
$ awsp company-staging-anton
To change AWS profile to use production account (111111111111) which requires MFA token created in IAM account (333333333333, company-anton
):
$ awsp company-production-anton
# Please enter your MFA token for arn:aws:iam::333333333333:mfa/anton
> 123456
Notes
-
This code has been tested only on Mac and there are no intentions to make it to work on other systems (if necessary)!
-
To avoid storing AWS secrets in plain text you can use aws-vault, while keeping the same
awsp
script to switch roles.
Authors
Created by Anton Babenko with inspiration from several code snippets
License
Apache 2 Licensed. See LICENSE for full details.