This is a small utility that makes it easier to use the aws sts assume-role command:
On OS X, the best way to get it is to use homebrew:
brew install remind101/formulae/assume-roleIf you have a working Go 1.6 environment:
$ go get -u github.com/remind101/assume-roleThe first step is to setup "aliases" of the roles to assume, this is done in a yaml formatted configuration file in ~/.aws/roles.
Example
prod:
role: arn:aws:iam::1234:role/SuperUser
mfa: arn:aws:iam::5678:mfa/eric-holmes # Enable MFA for this role. Note that this should be the MFA device in the account that you're assuming FROM, not the account you're assuming TO.
stage:
role: arn:aws:iam::9012:role/SuperUserPerform an action as the given IAM role:
$ assume-role stage aws iam get-userThe command provided after the role will be executed with the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN environment variables set.
If the role requires MFA, you will be asked for the token first:
$ assume-role prod aws iam get-user
MFA code: 123456If no command is provided, assume-role will output the temporary security credentials:
$ assume-role prod
export AWS_ACCESS_KEY_ID="ASIAI....UOCA"
export AWS_SECRET_ACCESS_KEY="DuH...G1d"
export AWS_SESSION_TOKEN="AQ...1BQ=="
export AWS_SECURITY_TOKEN="AQ...1BQ=="
# Run this to configure your shell:
# eval $(assume-role prod)- Cache credentials.