Skip to content

Instantly share code, notes, and snippets.

@ryo0301
Last active March 17, 2016 09:14
Show Gist options
  • Save ryo0301/143598a2d05d90b6201b to your computer and use it in GitHub Desktop.
Save ryo0301/143598a2d05d90b6201b to your computer and use it in GitHub Desktop.
MacからAWSにアクセスする時はAssumeRoleすることにした ref: http://qiita.com/ryo0301/items/0730e4b1068707a37c31
begin
require 'aws-sdk-core'
rescue LoadError
else
# aws.rb may already have been initialized
Aws.config[:region] ||= 'ap-northeast-1'
Pry::Commands.import(Pry::CommandSet.new {
block_command 'aws-assume-role' do |role_name, external_id, token_code|
system "~/bin/aws-assume-role #{role_name} #{external_id} #{token_code}"
end
})
end
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::XXXXXXXXXXXX:role/read-only",
"arn:aws:iam::XXXXXXXXXXXX:role/power-user"
]
}
]
}
#!/bin/sh
set -e
role_name=$1
external_id=$2
token_code=$3
profile=$role_name
cmd="aws sts assume-role"
cmd="$cmd --role-arn arn:aws:iam::XXXXXXXXXXXX:role/$role_name"
cmd="$cmd --role-session-name in-office"
cmd="$cmd --external-id $external_id"
if [ -n "$token_code" ]; then
cmd="$cmd --serial-number arn:aws:iam::XXXXXXXXXXXX:mfa/my-user"
cmd="$cmd --token-code $token_code"
fi
creds=$($cmd)
access_key_id=$(echo $creds | jq --raw-output .Credentials.AccessKeyId)
secret_access_key=$(echo $creds | jq --raw-output .Credentials.SecretAccessKey)
session_token=$(echo $creds | jq --raw-output .Credentials.SessionToken)
aws configure set region ap-northeast-1 --profile $profile
aws configure set aws_access_key_id $access_key_id --profile $profile
aws configure set aws_secret_access_key $secret_access_key --profile $profile
aws configure set aws_session_token $session_token --profile $profile
aws configure list --profile $profile
"Principal": {
"AWS": [
"arn:aws:iam::XXXXXXXXXXXX:user/my-user"
]
}
"Principal": {
"AWS": [
"arn:aws:iam::XXXXXXXXXXXX:user/my-user"
]
}
$ aws sts assume-role \
> --role-arn arn:aws:iam::XXXXXXXXXXXX:role/power-user \
> --role-session-name in-office \
> --external-id hogehoge \
> --serial-number arn:aws:iam::XXXXXXXXXXXX:mfa/my-user \
> --token-code XXXXXX
{
"AssumedRoleUser": {
"AssumedRoleId": "XXXXXXXXXXXXXXXXXXXXX:in-office",
"Arn": "arn:aws:sts::XXXXXXXXXXXX:assumed-role/power-user/in-office"
},
"Credentials": {
"SecretAccessKey": "XXXXXXXXXX...",
"SessionToken": "XXXXXXXXXX...",
"Expiration": "2015-01-22T03:16:56Z",
"AccessKeyId": "XXXXXXXXXXXXXXXXXXXX"
}
}
$ aws-assume-role power-user hogehoge XXXXXX
Name Value Type Location
---- ----- ---- --------
profile power-user manual --profile
access_key ****************XXXX shared-credentials-file
secret_key ****************XXXX shared-credentials-file
region ap-northeast-1 config-file ~/.aws/config
$ aws ec2 describe-regions --profile power-user
$ aws-assume-role read-only hogehoge
Name Value Type Location
---- ----- ---- --------
profile read-only manual --profile
access_key ****************XXXX shared-credentials-file
secret_key ****************XXXX shared-credentials-file
region ap-northeast-1 config-file ~/.aws/config
$ aws ec2 describe-regions --profile read-only
$ aws.rb --region ap-northeast-1
Aws> assumed_role = Aws::AssumeRoleCredentials.new(
Aws| role_arn: 'arn:aws:iam::XXXXXXXXXXXX:role/power-user',
Aws| role_session_name: 'in-office',
Aws| external_id: 'hogehoge',
Aws| serial_number: 'arn:aws:iam::XXXXXXXXXXXX:mfa/my-user',
Aws| token_code: 'XXXXXX'
Aws| )
Aws> assumed_role.credentials.access_key_id
"XXXXXXXXXXXXXXXXXXXX"
Aws> assumed_role.credentials.secret_access_key
"XXXXXXXXXX..."
Aws> assumed_role.credentials.session_token
"XXXXXXXXXX..."
$ aws-assume-role power-user hogehoge XXXXXX
Name Value Type Location
---- ----- ---- --------
profile power-user manual --profile
access_key ****************XXXX shared-credentials-file
secret_key ****************XXXX shared-credentials-file
region ap-northeast-1 config-file ~/.aws/config
$ aws ec2 describe-regions --profile power-user
$ aws-assume-role read-only hogehoge
Name Value Type Location
---- ----- ---- --------
profile read-only manual --profile
access_key ****************XXXX shared-credentials-file
secret_key ****************XXXX shared-credentials-file
region ap-northeast-1 config-file ~/.aws/config
$ aws ec2 describe-regions --profile read-only
$ aws.rb --region ap-northeast-1
Aws> assumed_role = Aws::AssumeRoleCredentials.new(
Aws| role_arn: 'arn:aws:iam::XXXXXXXXXXXX:role/power-user',
Aws| role_session_name: 'in-office',
Aws| external_id: 'hogehoge',
Aws| serial_number: 'arn:aws:iam::XXXXXXXXXXXX:mfa/my-user',
Aws| token_code: 'XXXXXX'
Aws| )
Aws> assumed_role.credentials.access_key_id
"XXXXXXXXXXXXXXXXXXXX"
Aws> assumed_role.credentials.secret_access_key
"XXXXXXXXXX..."
Aws> assumed_role.credentials.session_token
"XXXXXXXXXX..."
$ aws.rb --region ap-northeast-1
Aws> aws-assume-role power-user hogehoge XXXXXX
Name Value Type Location
---- ----- ---- --------
profile power-user manual --profile
access_key ****************XXXX shared-credentials-file
secret_key ****************XXXX shared-credentials-file
region ap-northeast-1 config-file ~/.aws/config
Aws> ec2 = Aws::EC2::Client.new profile: 'power-user'
#<Aws::EC2::Client>
Aws> ec2.describe_regions.regions[0]
[Aws::EC2::Client 200 0.119853 0 retries] describe_regions()
{
:region_name => "eu-central-1",
:endpoint => "ec2.eu-central-1.amazonaws.com"
}
Aws> aws-assume-role read-only hogehoge
Name Value Type Location
---- ----- ---- --------
profile read-only manual --profile
access_key ****************XXXX shared-credentials-file
secret_key ****************XXXX shared-credentials-file
region ap-northeast-1 config-file ~/.aws/config
Aws> ec2 = Aws::EC2::Client.new profile: 'read-only'
#<Aws::EC2::Client>
$ aws.rb --region ap-northeast-1
Aws> aws-assume-role power-user hogehoge XXXXXX
Name Value Type Location
---- ----- ---- --------
profile power-user manual --profile
access_key ****************XXXX shared-credentials-file
secret_key ****************XXXX shared-credentials-file
region ap-northeast-1 config-file ~/.aws/config
Aws> ec2 = Aws::EC2::Client.new profile: 'power-user'
#<Aws::EC2::Client>
Aws> ec2.describe_regions.regions[0]
[Aws::EC2::Client 200 0.119853 0 retries] describe_regions()
{
:region_name => "eu-central-1",
:endpoint => "ec2.eu-central-1.amazonaws.com"
}
Aws> aws-assume-role read-only hogehoge
Name Value Type Location
---- ----- ---- --------
profile read-only manual --profile
access_key ****************XXXX shared-credentials-file
secret_key ****************XXXX shared-credentials-file
region ap-northeast-1 config-file ~/.aws/config
Aws> ec2 = Aws::EC2::Client.new profile: 'read-only'
#<Aws::EC2::Client>
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "hogehoge"
},
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
}
]
}
# In ~/.aws/credentials:
[development]
aws_access_key_id = foo
aws_access_key_id = bar
# In ~/.aws/config
[profile crossaccount]
role_arn = arn:aws:iam:...
source_profile = development
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment