Last active
October 3, 2022 02:18
-
-
Save brianredbeard/035ee1419bc38a0e2d854fb828d585d7 to your computer and use it in GitHub Desktop.
Revisions
-
brianredbeard revised this gist
Jan 7, 2019 . 1 changed file with 9 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -44,10 +44,19 @@ source <(AWS_PROFILE=redbeard aws sts assume-role --role-arn arn:aws:iam::12345 ## To unset these values: ### Manual Command ``` source <(env | awk -F= '/AWS/ {print "unset ", $1}') ``` ### BASH Alias What follows is a BASH alias which can be added to `.bash_profile`. Once in place, using the alias `UNSET_AWS` will unset all AWS environment variables. This uses a special quoting syntax which allows for the use of backslash escaped characters as per the ANSI C standard (see the `QUOTING` section of `man 1 bash` for more details). ``` alias UNSET_AWS=$'source <(env | awk -F= \' /AWS/ {print "unset ", $1} \')' ``` ## Links sub: http://wiki.bash-hackers.org/syntax/expansion/proc_subst -
Jun 30, 2017 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -45,7 +45,7 @@ source <(AWS_PROFILE=redbeard aws sts assume-role --role-arn arn:aws:iam::12345 ## To unset these values: ``` source <(env | awk -F= '/AWS/ {print "unset ", $1}') ``` ## Links -
Jun 30, 2017 . 1 changed file with 3 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -38,7 +38,9 @@ After this has occurred you will have received a set of temporary credentials wh ## Copy Paste Version: ``` source <(AWS_PROFILE=redbeard aws sts assume-role --role-arn arn:aws:iam::123456789123:role/OrganizationAccountAccessRole --role-session-name "DevAccount" | jq -r '.Credentials | @sh "export AWS_SESSION_TOKEN=\(.SessionToken)\nexport AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey) "') ``` ## To unset these values: -
Jun 30, 2017 . 1 changed file with 5 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -40,6 +40,11 @@ After this has occurred you will have received a set of temporary credentials wh `source <(AWS_PROFILE=redbeard aws sts assume-role --role-arn arn:aws:iam::123456789123:role/OrganizationAccountAccessRole --role-session-name "DevAccount" | jq -r '.Credentials | @sh "export AWS_SESSION_TOKEN=\(.SessionToken)\nexport AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey) "')` ## To unset these values: ``` source <(env | awk -F= '/AWS/ {print "unset ", $1}' ``` ## Links sub: http://wiki.bash-hackers.org/syntax/expansion/proc_subst -
Jun 29, 2017 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -27,9 +27,9 @@ Below is an overexplained version of the following process: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | AWS Profile from Target Name of the role to assume Friendly | | ~/.aws/credentials Account # in the target account # Name | | ------------------ ---------- ---------------------------- --------- | | | | | | | | | | | source <(AWS_PROFILE=redbeard aws sts assume-role --role-arn arn:aws:iam::123456789123:role/OrganizationAccountAccessRole --role-session-name "DevAccount" | \ | jq -r '.Credentials | @sh "export AWS_SESSION_TOKEN=\(.SessionToken)\nexport AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey) "') -
Jun 29, 2017 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -26,8 +26,8 @@ Below is an overexplained version of the following process: Using process substitution[sub] create a temporary file descriptor which will hold the output of our "aws" command then pipelined[pipe] through jq ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | AWS Profile from Target Name of the role to assume Friendly | | ~/.aws/credentials Account # in the target account # Name | | ------------------ ---------- ---------------------------- -------- | | | | | | | | | | | source <(AWS_PROFILE=redbeard aws sts assume-role --role-arn arn:aws:iam::123456789123:role/OrganizationAccountAccessRole --role-session-name "DevAccount" | \ | -
Jun 29, 2017 . 1 changed file with 3 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -28,12 +28,13 @@ Below is an overexplained version of the following process: | | | AWS Profile from Target Friendly | | ~/.aws/credentials Account # Name | | ------------------ ---------- ---------------------------- -------- | | | | | | | | | | | source <(AWS_PROFILE=redbeard aws sts assume-role --role-arn arn:aws:iam::123456789123:role/OrganizationAccountAccessRole --role-session-name "DevAccount" | \ | jq -r '.Credentials | @sh "export AWS_SESSION_TOKEN=\(.SessionToken)\nexport AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey) "') ``` After this has occurred you will have received a set of temporary credentials what are good for one hour, one can validate this using the command `echo $AWS_ACCESS_KEY_ID`. Due to the nature of STS tokens, it should be different each time you acquire one ## Copy Paste Version: -
Jun 29, 2017 . 1 changed file with 6 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -38,8 +38,11 @@ source <(AWS_PROFILE=redbeard aws sts assume-role --role-arn arn:aws:iam::12345 ## Copy Paste Version: `source <(AWS_PROFILE=redbeard aws sts assume-role --role-arn arn:aws:iam::123456789123:role/OrganizationAccountAccessRole --role-session-name "DevAccount" | jq -r '.Credentials | @sh "export AWS_SESSION_TOKEN=\(.SessionToken)\nexport AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey) "')` ## Links sub: http://wiki.bash-hackers.org/syntax/expansion/proc_subst pipe: http://wiki.bash-hackers.org/syntax/basicgrammar#pipelines [fifo]: https://web.archive.org/web/20170626193603/http://www.linuxjournal.com/article/2156 -
Jun 29, 2017 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -23,7 +23,7 @@ Below is an overexplained version of the following process: ``` Using process substitution[sub] create a temporary file descriptor which will hold the output of our "aws" command then pipelined[pipe] through jq ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | AWS Profile from Target Friendly | @@ -40,6 +40,6 @@ source <(AWS_PROFILE=redbeard aws sts assume-role --role-arn arn:aws:iam::12345 `source <(AWS_PROFILE=redbeard aws sts assume-role --role-arn arn:aws:iam::123456789123:role/OrganizationAccountAccessRole --role-session-name "DevAccount" | jq -r '.Credentials | @sh "export AWS_SESSION_TOKEN=\(.SessionToken)\nexport AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey) "')` sub: http://wiki.bash-hackers.org/syntax/expansion/proc_subst pipe: http://wiki.bash-hackers.org/syntax/basicgrammar#pipelines [fifo]: https://web.archive.org/web/20170626193603/http://www.linuxjournal.com/article/2156 -
Jun 29, 2017 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -23,7 +23,7 @@ Below is an overexplained version of the following process: ``` Using process [substitution][sub] create a temporary file descriptor which will hold the output of our "aws" command then pipelined[pipe] through jq ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | AWS Profile from Target Friendly | -
Jun 29, 2017 . 1 changed file with 10 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,9 @@ ## About AWS provides a mechanism for temporarily assuming another role within their API system. While it is not a technically hard process it can be convoluted and hard to understand. This document aims to both make it easier to follow along with as well as give an in depth explanation of some of the underpinnings of the Bourne Again Shell (aka BASH) which can make this easier to utilize on a day to day basis. ## Explanation Below is an overexplained version of the following process: 1) Using credentials stored in `~/.aws/credentials` as a "profile" which are then understood by the AWS command line tools @@ -28,6 +34,10 @@ source <(AWS_PROFILE=redbeard aws sts assume-role --role-arn arn:aws:iam::12345 jq -r '.Credentials | @sh "export AWS_SESSION_TOKEN=\(.SessionToken)\nexport AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey) "') ``` ## Copy Paste Version: `source <(AWS_PROFILE=redbeard aws sts assume-role --role-arn arn:aws:iam::123456789123:role/OrganizationAccountAccessRole --role-session-name "DevAccount" | jq -r '.Credentials | @sh "export AWS_SESSION_TOKEN=\(.SessionToken)\nexport AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey) "')` [sub]: http://wiki.bash-hackers.org/syntax/expansion/proc_subst -
Jun 29, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,35 @@ Below is an overexplained version of the following process: 1) Using credentials stored in `~/.aws/credentials` as a "profile" which are then understood by the AWS command line tools 2) Using those AWS credentials, temporarily assume a role using the AWS Security Token Service (STS) to get temporary credentials corresponding to a role in another account 3) Taking the JSON output of that AWS STS API response and parsing out the relevant values to create a series of Bourne Again Shell (bash) commands to provide access to the role via the AWS CLI commands 4) Placing the generated bash commands into a temporary file using a "first in first out special file" ([FIFO][fifo], also known as a "named pipe"). We are doing this because the subsequent command (`source`) _cannot take input via a pipeline and should use a file argument_. 5) Read and execute the commands from the temporary file descriptor in our *current environment*, thus exporting the following variables, which (similar to `AWS_PROFILE` are understood by the underlying libraries used by the `aws` command): - `AWS_SESSION_TOKEN` - `AWS_ACCESS_KEY_ID` - `AWS_SECRET_ACCESS_KEY` ``` Using process substitution[sub] create a temporary file descriptor which will hold the output of our "aws" command then pipelined[pipe] through jq ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | AWS Profile from Target Friendly | | ~/.aws/credentials Account # Name | | ------------------ ---------- -------- | | | | | | | | | source <(AWS_PROFILE=redbeard aws sts assume-role --role-arn arn:aws:iam::123456789123:role/OrganizationAccountAccessRole --role-session-name "DevAccount" | \ | jq -r '.Credentials | @sh "export AWS_SESSION_TOKEN=\(.SessionToken)\nexport AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey) "') ``` [sub]: http://wiki.bash-hackers.org/syntax/expansion/proc_subst [pipe]: http://wiki.bash-hackers.org/syntax/basicgrammar#pipelines [fifo]: https://web.archive.org/web/20170626193603/http://www.linuxjournal.com/article/2156