A new-ish thing to me is having my IAM account on a centralized AWS account then switching roles to a role in another AWS account. It’s a good way to manage users across a lot of accounts: Cross-Account Access in the AWS Management Console
What is definitely is having to do this programmatically for a script. I’m using C# for this but the guts are the same for any language I’m sure.
Steps:
1) Load main credentials – either hard-coded or from ~/.aws/credentials
2) Get a Session Token from STS
3) Setup MFA callback
4) Use Session Token creds and MFA call back on an AssumeRole credential set then to do work.
Code
//needed info from target account var targetRoleAccount = "<account id>"; var targetRoleName = "<role name>"; //needed info from main account about my user var mainAccount = "<account id>"; var mainAccountUser = "<my user name>"; //my user creds var mainAccountUserAccessToken = "<aws access token>"; var mainAccountUserSecretToken = "<aws secret token>"; //make some ARNs var roleArn = $"arn:aws:iam::{targetRoleAccount}:role/{targetRoleName}"; var mfaArn = $"arn:aws:iam::{mainAccount}:mfa/{mainAccountUser}"; var basicCreds = new BasicAWSCredentials(mainAccountUserAccessToken, mainAccountUserSecretToken); var stsClient = new AmazonSecurityTokenServiceClient(basicCreds); var sessionResponse = await stsClient.GetSessionTokenAsync(); var sessionCreds = new SessionAWSCredentials(sessionResponse.Credentials.AccessKeyId, sessionResponse.Credentials.SecretAccessKey, sessionResponse.Credentials.SessionToken); var options = new AssumeRoleAWSCredentialsOptions() { MfaSerialNumber = mfaArn, MfaTokenCodeCallback = () => { Console.WriteLine("Enter MFA"); return Console.ReadLine(); } }; var assumeRoleCredentials = new AssumeRoleAWSCredentials(sessionCreds, roleArn, targetRoleName, options); //time to work! var client = new AmazonEC2Client(assumeRoleCredentials, RegionEndpoint.EUWest1);
The code roughly follows the steps I listed before. The trick is getting your MFA code in.
Here, I just have a console app so I can just ReadLine()
and enter the numbers from my phone which I use for the two-factor code.
Took some figuring out as I didn’t know the AWS termology and had to dig the into the AWS SDK integration tests for STS to get it right. Wasn’t too bad.