vegas-credentials

README

🚧 Work-in-Progress	🚀 ⁉️ Publish Plan
Since version v0.13.x this tool is considered "mostly stable": Breaking changes may occur if really needed but not arbitrarily.	I'm hoping to release v1.0.0 during H2/2022. No commitments though!

---

Much like spending a week in Las Vegas at AWS re:Invent, using multiple AWS tools (SDKs, CLI, CDK, Terraform, etc) via command-line to assume IAM roles in different accounts with Multi-Factor Authentication can be an exhausting experience: vegas-credentials aims to simplify the credential process! And just like you shouldn't stay too long in Las Vegas at once, this tool only deals with temporary sesssion credentials.

Vegas Credentials is an utility with smooth user experience that plugs into AWS credential_process to assume IAM Roles with TOTP MFA (with optional Yubikey Touch support) to fetch, cache and refresh assumed temporary session credentials.

---

Docs

For guides, examples and full documentation, go to https://credentials.vegas.

Install

Via Homebrew on MacOS, GNU/Linux and Windows Subsystem for Linux (WSL):

brew install aripalo/tap/vegas-credentials

Via Scoop on Windows:

scoop bucket add aripalo https://github.com/aripalo/scoops.git && scoop install vegas-credentials

Configure

1. Configure your source profile and its credentials, most often it's the default one which you configure into ~/.aws/credentials:

   # ~/.aws/credentials
   [default]
   aws_access_key_id = AKIAIOSFODNN7EXAMPLE
   aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
   

2. Configure your source profile in config:

   # ~/.aws/config
   [default]
   mfa_serial = arn:aws:iam::111111111111:mfa/FrankSinatra
   

   Note: if your source profile is not default, remember to add profile as prefix (profile foo)

3. Configure your target profile with credential_process into ~/.aws/config:

   # ~/.aws/config
   [profile frank@concerts]
   credential_process = vegas-credentials assume --profile=frank@concerts
   vegas_role_arn=arn:aws:iam::222222222222:role/SingerRole
   vegas_source_profile=default
   
   # You may also provide any other additional standard AWS configuration, such as:
   region = us-west-1
   duration_seconds = 4383
   role_session_name = SinatraAtTheSands
   external_id = 0093624694724
   

   Note: role_arn & source_profile must be prefixed with vegas_ to prevent AWS tooling to ignore credential_process setting and to prevent Terraform failing.

4. Use any AWS tooling that support ini-based configuration with credential_process, like AWS CLI v2:

   aws sts get-caller-identity --profile frank@concerts