服务
关于
CloudProse博客

2016年4月2日,星期六

更新: Windows用户好消息!您现在可以使用此 AWSume脚本 在Windows上也是如此。

在Trek10,我们与许多客户合作,因此定期(每天)与多个AWS账户合作。我们需要一种方法来简化我们所有不同帐户的管理。我们在可以假定的客户帐户中创建标准的Trek10管理员角色。为了安全起见,我们要求角色承担者启用多因素身份验证。

通过AWS控制台访问这些帐户时,此方法可以很好地工作,但是在使用AWS CLI或SDK时,很快变得很麻烦。

The AWS CLI has support for automatically assuming a role based on a profiles you can setup in your ~/.aws/config file. Once you setup the profiles, you can run a command using the profile. Something like this aws s3 ls --profile profile-for-that-one-account. The CLI will prompt you for your mfa token and assume the role for you. It also caches the credentials for you so you don’t have to keep entering your mfa token if you run multiple commands. This works well except for two things, the SDKs don’t look in the CLI credential cache, and you have to specify the profile everytime you run a command (or set the AWS默认PROFILE环境变量)。

Another issue I have is that often I do development work inside a virtual machine, and the aws config files aren’t available. I could of course volume in my .aws directory, but it’s a pain to do that for every new VM I setup.

解决方案-AWSume

AWSume

我编写了一个脚本,以利用CLI将担当角色并为您缓存凭据的事实。该脚本从CLI缓存中读取凭据,并将其写入环境变量。这样,CLI将默认使用它们而不指定配置文件,并且SDK还将从环境变量中获取信任。它还具有打印导出语句的选项,可以轻松地将它们复制到VM或SSH会话中。

<pre><code>#〜/ .aws / config [profile internal-admin] role_arn = arn:aws:iam ::<my aws account id>/ role / admin-rolemfa_serial = arn:aws:iam ::<my aws account id>:mfa / joelsource_profile = joel [profile client1-admin] role_arn = arn:aws:iam ::<client #1 account id>/ role / admin-rolemfa_serial = arn:aws:iam ::<your aws account id>:mfa / joelsource_profile = joel [profile client2-admin] role_arn = arn:aws:iam ::<client #2 account id>/ role / admin-rolemfa_serial = arn:aws:iam ::<your aws account id>:mfa / joelsource_profile = joel</code></pre><pre><code>#〜/ .aws / credential [默认] aws_access_key_id = AKIAIOIEUFSN9EXAMPLEaws_secret_access_key = wJalrXIneUATF / K7MDENG / jeuFHEnfEXAMPLEKEY [joel] aws_access_key_id = AKIAIOSFODNN7EXAMPLEALX_x_t</code></pre>

Notice that the source_profile in the config matches the profile in the credentials. To protect against accidents I’ve set my default profile to access keys for our sandbox account.

剧本:

<pre><code>#!/ bin / bashif [[-z $ 1]];然后echo缺少配置文件名称echo echo用法:。假定配置文件名称[显示] echoelse aws s3 ls --profile $ 1>/ dev / null如果[[$? -eq 0]];然后cachedCreds =`ls〜/ .aws / cli / cache / $ 1 *`token = $(python -c'import json,sys,fileinput; obj = json.loads(fileinput.input()。readline());信条= obj [“ Credentials”] print creds [“ SessionToken”] +“” $ cachedCreds)id = $(python -c'import json,sys,fileinput; obj = json.loads(fileinput.input()。readline( )); creds = obj [“ Credentials”] print creds [“ AccessKeyId”] +“”'$ cachedCreds)key = $(python -c'import json,sys,fileinput; obj = json.loads(fileinput.input( ).readline()); cred = obj [“ Credentials”] print creds [“ SecretAccessKey”] +“”'$ cachedCreds)if [[“ $ 2” ==“ show”]];然后回显“导出AWS_SESSION_TOKEN = $ token”回显“ export AWS_SECES_ACCESS_KEY = $ key”回声“ export AWS_ACCESS_KEY_ID = $ id” fi export AWS_SESSION_TOKEN = $ token导出AWS_SECRET_ACCESS_KEY = $ key export AWS_ACCESS_KEY_ID = $ id</code></pre>

脚本逻辑

  • Call aws s3 ls with the profile you specify as a parameter
  • 如果没有错误,请使用内嵌python脚本来解析缓存的凭据json文件
  • 导出适当的变量
  • 如果提供了show选项,请打印导出语句

已知此脚本在OSX上的bash和zsh中运行。 YMMV在其他操作系统和外壳上。

Remember, you will need to source the script to get the environment variables to stick. To do this in a typical shell, you need to 预先pend a . to your command. For convenience I named the script awsume, put the it in /usr/local/bin and set an alias alias awsume='. awsume'.

作者
乔尔·豪伯德Trek10
乔尔·豪伯德