DEV Community: Frankovskyi Bogdan The latest articles on DEV Community by Frankovskyi Bogdan (@bfrankovskyi). https://dev.to/bfrankovskyi https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1106614%2Fbc884310-9548-4089-b373-f101d0787c5d.png DEV Community: Frankovskyi Bogdan https://dev.to/bfrankovskyi en Mastering Multiple AWS Accounts with AWS CLI: Navigating Role Delegation, MFA, and Automated Login Scripts Frankovskyi Bogdan Wed, 15 Nov 2023 09:03:43 +0000 https://dev.to/bfrankovskyi/mastering-multiple-aws-accounts-with-aws-cli-navigating-role-delegation-mfa-and-automated-login-scripts-5bin https://dev.to/bfrankovskyi/mastering-multiple-aws-accounts-with-aws-cli-navigating-role-delegation-mfa-and-automated-login-scripts-5bin <p>In my role as a platform engineer, I often work with multiple AWS accounts. This can get tricky, especially when setting up Terraform or writing scripts for different account resources. I've learned some helpful tips and tricks along the way, which may be helpful to you. </p> <p>For multiple accounts access <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html">role delegation</a> is usually used. This is especially helpful, because it is easy to manage, it adds required granularity of access to the different resources and allows user to have only one pair of secrets on computer. It is also <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html">easy to configure for AWS CLI</a> and it is supported by Terraform. </p> <p>It is a bit more difficult to configure when <a href="https://aws.amazon.com/iam/features/mfa">Multi-Factor Authentication (MFA) is enabled</a> for the additional security. MFA is great for security - it makes sure this is you who are trying to use credentials, not anyone else uses stolen creds. On practice, it means you need to enter some One-Time Password (OTP) code generated for you by some program (like <a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&amp;pcampaignid=web_share">Google Authenicator</a>) or by separate hardware (like <a href="https://www.yubico.com">Yubikey</a> or <a href="https://www.protectimus.com">Protectimus</a>). There are other solutions on a market, but I have experience with these only. </p> <p>For OTP I usually use Google Authenicator but using it with some short-lived session is very annoying - you have to type code from phone every time. For these cases I use Yubikey to generate OTP codes, or I use <a href="https://support.1password.com/one-time-passwords/">1Password</a> when I can't use Yubikey. 1Password is a bit less secure option for this case - because it can be used if someone get access to your computer and have your password, while with GA or hardware token attacker must have access to them too. </p> <ul> <li><a href="https://aws.amazon.com/blogs/security/use-yubikey-security-key-sign-into-aws-management-console/">How to configure Yubikey as AWS MFA</a></li> <li><a href="https://support.1password.com/one-time-passwords/">How to configure 1Password for AWS MFA</a></li> </ul> <p>Once you have it configured, let's start from configuring AWS CLI and login script. Login script will generate temporary credentials which may be used to access all other account. The flow of it is simple: </p> <ul> <li>Retrieve new set of temporary credentials using <a href="https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html">sts get-session-token</a> AWS CLI command using credentials from account where user is created</li> <li>Set temporary credentials to <code>~/.aws/credentials</code> profile</li> <li>use this profile as <code>source_profile</code> with multiple AWS profiles</li> </ul> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--RXdqu4Va--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/7aetuhm997674uyfxooh.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--RXdqu4Va--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/7aetuhm997674uyfxooh.png" alt="Image description" width="800" height="552"></a></p> <p>First of all, you need to add profile where your user was created, and credentials to it:</p> <p><code>~/.aws/config</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[profile account-where-user-congured]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-east-1</span> </code></pre> </div> <p><code>~/.aws/credentials</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[account-where-user-configured]</span> <span class="py">aws_access_key_id</span> <span class="p">=</span> <span class="s">*******************</span> <span class="py">aws_secret_access_key</span> <span class="p">=</span> <span class="s">*********************</span> </code></pre> </div> <p>Add empty profile where generated credentials will be stored.<br> <code>~/.aws/credentials</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[account-where-user-configured]</span> <span class="py">aws_access_key_id</span> <span class="p">=</span> <span class="s">*******************</span> <span class="py">aws_secret_access_key</span> <span class="p">=</span> <span class="s">*********************</span> <span class="nn">[root-mfa]</span> </code></pre> </div> <p>and, of course, add other accounts where user have access with assumed role:<br> <code>~/.aws/config</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[profile account-where-user-configured]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-east-1</span> <span class="py">output</span> <span class="p">=</span> <span class="s">json</span> <span class="nn">[profile some-account-you-can-assume-role-in]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-east-1</span> <span class="py">source_profile</span> <span class="p">=</span> <span class="s">root-mfa</span> <span class="py">role_arn</span> <span class="p">=</span> <span class="s">arn:aws:iam::0123456789:role/my-awesome-role</span> <span class="nn">[profile some-other-account-you-can-assume-role-in]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-east-1</span> <span class="py">source_profile</span> <span class="p">=</span> <span class="s">root-mfa</span> <span class="py">role_arn</span> <span class="p">=</span> <span class="s">arn:aws:iam::0123456789:role/my-awesome-role</span> <span class="err">....</span> </code></pre> </div> <p>Now, let's make script to retrieve temporary credentials (based on script from here <a href="https://gist.github.com/ogavrisevs/2debdcb96d3002a9cbf2">Script to generate AWS STS token · GitHub</a>). </p> <p><code>awslogin.sh</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c">#</span> <span class="c"># Sample for getting temp session token from AWS STS</span> <span class="c">#</span> <span class="c"># aws --profile youriamuser sts get-session-token --duration 3600 \</span> <span class="c"># --serial-number arn:aws:iam::012345678901:mfa/user --token-code 012345</span> <span class="c">#</span> <span class="c"># Based on : https://github.com/EvidentSecurity/MFAonCLI/blob/master/aws-temp-token.sh</span> <span class="c">#</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nv">AWS_CLI</span><span class="o">=</span><span class="sb">`</span>which aws<span class="sb">`</span> <span class="k">if</span> <span class="o">[</span> <span class="nv">$?</span> <span class="nt">-ne</span> 0 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"AWS CLI is not installed; exiting"</span> <span class="nb">exit </span>1 <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Using AWS CLI found at </span><span class="nv">$AWS_CLI</span><span class="s2">"</span> <span class="k">fi </span><span class="nv">AWS_USER_PROFILE</span><span class="o">=</span>account-where-user-configured <span class="nv">AWS_2AUTH_PROFILE</span><span class="o">=</span>root-mfa <span class="nv">ARN_OF_MFA</span><span class="o">=</span>arn:aws:iam::account-where-user-configured-id:mfa/yubikey-mfa-arn-name <span class="nv">DURATION</span><span class="o">=</span>129600 <span class="nb">read </span>AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN <span class="o">&lt;&lt;&lt;</span> <span class="se">\</span> <span class="si">$(</span> aws <span class="nt">--profile</span> <span class="nv">$AWS_USER_PROFILE</span> sts get-session-token <span class="se">\</span> <span class="nt">--duration</span> <span class="nv">$DURATION</span> <span class="se">\</span> <span class="nt">--serial-number</span> <span class="nv">$ARN_OF_MFA</span> <span class="se">\</span> <span class="nt">--token-code</span> <span class="si">$(</span>ykman oath code <span class="nt">-s</span> <span class="nv">$ARN_OF_MFA</span><span class="si">)</span> <span class="se">\</span> <span class="nt">--output</span> text | <span class="nb">awk</span> <span class="s1">'{ print $2, $4, $5 }'</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$AWS_ACCESS_KEY_ID</span><span class="s2">"</span> <span class="o">]</span> <span class="k">then </span><span class="nb">exit </span>1 <span class="k">fi</span> <span class="sb">`</span>aws <span class="nt">--profile</span> <span class="nv">$AWS_2AUTH_PROFILE</span> configure <span class="nb">set </span>aws_access_key_id <span class="s2">"</span><span class="nv">$AWS_ACCESS_KEY_ID</span><span class="s2">"</span><span class="sb">`</span> <span class="sb">`</span>aws <span class="nt">--profile</span> <span class="nv">$AWS_2AUTH_PROFILE</span> configure <span class="nb">set </span>aws_secret_access_key <span class="s2">"</span><span class="nv">$AWS_SECRET_ACCESS_KEY</span><span class="s2">"</span><span class="sb">`</span> <span class="sb">`</span>aws <span class="nt">--profile</span> <span class="nv">$AWS_2AUTH_PROFILE</span> configure <span class="nb">set </span>aws_session_token <span class="s2">"</span><span class="nv">$AWS_SESSION_TOKEN</span><span class="s2">"</span><span class="sb">`</span> </code></pre> </div> <p>Note <code>$(ykman oath code -s $ARN_OF_MFA)</code> line - this is where <a href="https://developers.yubico.com/yubikey-manager/">ykman</a> will ask you to touch Yubikey. That pretty much it. Now you can login just once and use different AWS profiles without need to re-login.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>⋊&gt;./awslogin.sh Using AWS CLI found at /home/linuxbrew/.linuxbrew/bin/aws Touch your YubiKey... ⋊&gt;aws s3 <span class="nb">ls</span> <span class="nt">--profile</span> some-account-you-can-assume-role-in <span class="c"># some buckets will be shown</span> <span class="c"># you can simultaneously use it for all other accounts you can assume role in</span> <span class="c"># without need to switch to it or use env variables</span> ⋊&gt;aws s3 <span class="nb">ls</span> <span class="nt">--profile</span> some-other-account-you-can-assume-role-in <span class="c"># some buckets will be shown</span> </code></pre> </div> <p>Configuration with 1Password OTP generation is similar — but instead of <code>ykman</code> <a href="https://1password.com/downloads/command-line/">op</a> should be used to retrieve a OTP code. If we are going to use 1Password for auth anyways, it is reasonable to get rid of the local secret for <code>account-where-user-configured</code> stored in plain text in <code>~/.aws/credentials</code>. </p> <p>Set up credentials in 1Password and remove <code>[profile account-where-user-configured]</code> from <code>~/.aws/credentials</code> and <code>~/.aws/config</code>.<br> Credentials for accounts where user is set up will be taken from 1Password and used in script instead of ones in <code>~/.aws/credentials</code>. We also will use OTP generated by 1Password<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c">#</span> <span class="c"># Sample for getting temp session token from AWS STS</span> <span class="c">#</span> <span class="c"># aws --profile youriamuser sts get-session-token --duration 3600 \</span> <span class="c"># --serial-number arn:aws:iam::012345678901:mfa/user --token-code 012345</span> <span class="c">#</span> <span class="c"># Based on : https://github.com/EvidentSecurity/MFAonCLI/blob/master/aws-temp-token.sh</span> <span class="c">#</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nv">AWS_CLI</span><span class="o">=</span><span class="sb">`</span>which aws<span class="sb">`</span> <span class="k">if</span> <span class="o">[</span> <span class="nv">$?</span> <span class="nt">-ne</span> 0 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"AWS CLI is not installed; exiting"</span> <span class="nb">exit </span>1 <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Using AWS CLI found at </span><span class="nv">$AWS_CLI</span><span class="s2">"</span> <span class="k">fi </span><span class="nv">AWS_USER_PROFILE</span><span class="o">=</span>account-where-user-configured <span class="nv">AWS_2AUTH_PROFILE</span><span class="o">=</span>root-mfa <span class="nv">ARN_OF_MFA</span><span class="o">=</span>arn:aws:iam::account-where-user-configured-id:mfa/yubikey-mfa-arn-name <span class="nv">DURATION</span><span class="o">=</span>129600 <span class="nb">read </span>AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN <span class="o">&lt;&lt;&lt;</span> <span class="se">\</span> <span class="si">$(</span><span class="nb">env </span><span class="nv">AWS_ACCESS_KEY_ID</span><span class="o">=</span><span class="si">$(</span>op <span class="nb">read</span> <span class="s2">"op://Private/&lt;your-account-secret&gt;/access key id"</span><span class="si">)</span> <span class="se">\</span> <span class="nv">AWS_SECRET_ACCESS_KEY</span><span class="o">=</span><span class="si">$(</span>op <span class="nb">read</span> <span class="s2">"op://Private/&lt;your-account-secret&gt;/secret access key"</span><span class="si">)</span> <span class="se">\</span> aws sts get-session-token <span class="se">\</span> <span class="nt">--duration</span> <span class="nv">$DURATION</span> <span class="se">\</span> <span class="nt">--serial-number</span> <span class="nv">$ARN_OF_MFA</span> <span class="se">\</span> <span class="nt">--token-code</span> <span class="si">$(</span><span class="nt">--token-code</span> <span class="si">$(</span>op <span class="nb">read</span> <span class="s2">"op://Private/&lt;your-account-secret&gt;/one-time password"</span><span class="si">))</span> <span class="se">\</span> <span class="nt">--output</span> text | <span class="nb">awk</span> <span class="s1">'{ print $2, $4, $5 }'</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$AWS_ACCESS_KEY_ID</span><span class="s2">"</span> <span class="o">]</span> <span class="k">then </span><span class="nb">exit </span>1 <span class="k">fi</span> <span class="sb">`</span>aws <span class="nt">--profile</span> <span class="nv">$AWS_2AUTH_PROFILE</span> configure <span class="nb">set </span>aws_access_key_id <span class="s2">"</span><span class="nv">$AWS_ACCESS_KEY_ID</span><span class="s2">"</span><span class="sb">`</span> <span class="sb">`</span>aws <span class="nt">--profile</span> <span class="nv">$AWS_2AUTH_PROFILE</span> configure <span class="nb">set </span>aws_secret_access_key <span class="s2">"</span><span class="nv">$AWS_SECRET_ACCESS_KEY</span><span class="s2">"</span><span class="sb">`</span> <span class="sb">`</span>aws <span class="nt">--profile</span> <span class="nv">$AWS_2AUTH_PROFILE</span> configure <span class="nb">set </span>aws_session_token <span class="s2">"</span><span class="nv">$AWS_SESSION_TOKEN</span><span class="s2">"</span><span class="sb">`</span> </code></pre> </div> <p>TIP: You can use it with Terraform/Terragrun by setting environment variable temporary, just for the command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">env </span><span class="nv">AWS_PROFILE</span><span class="o">=</span>your-profile-name terraform init </code></pre> </div> <p>TIP: You can export generated credentials to environment variable (for cases when aws profiles is not supported) by the <a href="(https://stackoverflow.com/questions/40852223/is-there-a-way-to-export-an-aws-cli-profile-to-environment-variables)">following command</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">eval</span> <span class="s2">"</span><span class="si">$(</span>aws configure export-credentials <span class="nt">--profile</span> your-profile-name <span class="nt">--format</span> <span class="nb">env</span><span class="si">)</span><span class="s2">"</span> </code></pre> </div> <p>TIP: you also can pass credentials to docker container on run without storing them in separate file or export to your environment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">--env-file</span> &lt;<span class="o">(</span>aws configure export-credentials <span class="nt">--profile</span> your-profile-name <span class="nt">--format</span> env-no-export<span class="o">)</span> ... </code></pre> </div> aws security mfa cli