A new-ish thing to me is having my IAM account on a centralized AWS account then switching roles to a role in another AWS account. It’s a good way to manage users across a lot of accounts: Cross-Account Access in the AWS Management Console
What is definitely is having to do this programmatically for a script. I’m using C# for this but the guts are the same for any language I’m sure.
Steps:
1) Load main credentials – either hard-coded or from ~/.aws/credentials
2) Get a Session Token from STS
3) Setup MFA callback
4) Use Session Token creds and MFA call back on an AssumeRole credential set then to do work.
Code
//needed info from target account
var targetRoleAccount = "<account id>";
var targetRoleName = "<role name>";
//needed info from main account about my user
var mainAccount = "<account id>";
var mainAccountUser = "<my user name>";
//my user creds
var mainAccountUserAccessToken = "<aws access token>";
var mainAccountUserSecretToken = "<aws secret token>";
//make some ARNs
var roleArn = $"arn:aws:iam::{targetRoleAccount}:role/{targetRoleName}";
var mfaArn = $"arn:aws:iam::{mainAccount}:mfa/{mainAccountUser}";
var basicCreds = new BasicAWSCredentials(mainAccountUserAccessToken, mainAccountUserSecretToken);
var stsClient = new AmazonSecurityTokenServiceClient(basicCreds);
var sessionResponse = await stsClient.GetSessionTokenAsync();
var sessionCreds = new SessionAWSCredentials(sessionResponse.Credentials.AccessKeyId,
sessionResponse.Credentials.SecretAccessKey, sessionResponse.Credentials.SessionToken);
var options = new AssumeRoleAWSCredentialsOptions()
{
MfaSerialNumber = mfaArn,
MfaTokenCodeCallback = () =>
{
Console.WriteLine("Enter MFA");
return Console.ReadLine();
}
};
var assumeRoleCredentials = new AssumeRoleAWSCredentials(sessionCreds, roleArn, targetRoleName, options);
//time to work!
var client = new AmazonEC2Client(assumeRoleCredentials, RegionEndpoint.EUWest1);
The code roughly follows the steps I listed before. The trick is getting your MFA code in.
Here, I just have a console app so I can just ReadLine() and enter the numbers from my phone which I use for the two-factor code.
Took some figuring out as I didn’t know the AWS termology and had to dig the into the AWS SDK integration tests for STS to get it right. Wasn’t too bad.
