signavio / aws-mfa-login Goto Github PK

small CLI tool to do aws with mfa and update credentials in local aws config

License: MIT License

Go 100.00%

aws mfa cloudos cloud-sre

aws-mfa-login's Introduction

aws-mfa-login

Small CLI tool to do aws with mfa and update credentials in local aws config. It will create or update a destination profile with temporary credentials for aws_access_key_id, aws_secret_access_key and aws_session_token. Those credentials will be valid for 12 hours by default.

Getting started

Install using go

For this, go must be installed on your system.

Install executable with golang

go install github.com/signavio/aws-mfa-login@latest

Make sure your go path is part of your PATH environment variable:

export GOPATH="~/go"
export PATH="${PATH}:${GOPATH}/bin/"

Install from binary (Recommended)

curl -L "https://github.com/signavio/aws-mfa-login/releases/latest/download/aws-mfa-login_$(uname)_amd64.gz" -o aws-mfa-login.gz
gunzip aws-mfa-login.gz && chmod +x aws-mfa-login && sudo mv aws-mfa-login /usr/local/bin/aws-mfa-login

Note: requires kubectl client version > 1.11 and kubernetes cluster version >= 1.21

Post-install

Check your installation - this should work now:

$ aws-mfa-login -h
CLI tool to update your temporary AWS credentials

Usage:
  aws-mfa-login [flags]
  aws-mfa-login [command]

Available Commands:
  aws         setup or view your aws config
  cluster     view or setup your kubeconfig
  completion  Generates bash completion scripts
  help        Help about any command

Flags:
      --config string        config file (default is $HOME/.aws-mfa.yaml)
  -d, --destination string   destination profile for temporary aws credentials
  -h, --help                 help for aws-mfa-login
      --no-color             disable colorized output
  -s, --source string        source profile where mfa is activated
      --version              version for aws-mfa-login

Create your application configuration and save it to ~/.aws-mfa.yaml :

source: some-source-profile
destination: some-destination-profile

Source is source profile where MFA is already activated and the key and secret id is configured. The tool will create a new profile entry if destination profile does not exist yet or update accordingly. Run the tool to update the session token in your local aws credentials.

For example, for ~/.aws-mfa.yaml with content

source: suite
destination: suite-mfa

... the output may be:

$ aws-mfa-login 
Current configuration located in ~/.aws-mfa.yaml
#####
source: suite
destination: suite-mfa

detected MFA device with serial number arn:aws:iam::123456:mfa/username
enter 6-digit MFA code: 123456

Successfully updated access tokens for profile suite-mfa.
Access will be valid for 11 hours. You can now use that profile.

export AWS_PROFILE=suite-mfa

Setup kubernetes access

This function can be useful when:

you have setup the recommended role structure of AWS you have an IAM Account that contains the AWS users
those users assume roles in target account like where the eks cluster lives
you map roles to RBAC users

you can provide information for static clusters in the yaml see example:

source: suite
destination: suite-mfa
clusters:
    - name: eks-staging
      alias: suite-staging
      accountId: "1234"
      role: DeveloperAccessRole
      region: eu-central-1
    - name: eks-prod
      alias: suite-academic
      accountId: "4321"
      role: DeveloperAccessRole
      region: eu-central-1

This will create aws profiles for each cluster and reference the profile in the kubeconfig. Cluster where you don't have access to or that don't exist, will be skipped.

$ aws-mfa-login aws setup
Updated aws credentials in ~/.aws/credentials
2 sections updated and 0 sections created

$ aws-mfa-login cluster setup
Successfully setup kubeconfig for cluster karl-default
Successfully setup kubeconfig for cluster staging-uk-default
Skipping setup for cluster suite-staging No cluster found for name: suite-staging.
Skipping setup for cluster eks-prod-eu because not authorized

You can now switch the context. Kubectx is recommenend, although it's also possible with plain kubectl.
kubectx suite-dev-cf
kubectl config use-context suite-dev-cf

Autocompletion

Refer to Cobra Autocompletion

aws-mfa-login completion --help

To load completions:

Bash:

  $ source <(yourprogram completion bash)

  # To load completions for each session, execute once:
  # Linux:
  $ aws-mfa-login completion bash > /etc/bash_completion.d/aws-mfa-login
  # macOS:
  $ aws-mfa-login completion bash > /usr/local/etc/bash_completion.d/aws-mfa-login

Zsh:

  # If shell completion is not already enabled in your environment,
  # you will need to enable it.  You can execute the following once:

  $ echo "autoload -U compinit; compinit" >> ~/.zshrc

  # To load completions for each session, execute once:
  $ aws-mfa-login completion zsh > ~/.oh-my-zsh/completions/_aws-mfa-login
  
  # verify that ~/.oh-my-zsh/completions is in your fpath
  $ print -l $fpath 

  # You will need to start a new shell for this setup to take effect.

fish:

  $ aws-mfa-login completion fish | source

  # To load completions for each session, execute once:
  $ aws-mfa-login completion fish > ~/.config/fish/completions/aws-mfa-login.fish

PowerShell:

  PS> aws-mfa-login completion powershell | Out-String | Invoke-Expression

  # To load completions for every new session, run:
  PS> aws-mfa-login completion powershell > aws-mfa-login.ps1
  # and source this file from your PowerShell profile.

Usage:
  aws-mfa-login completion [bash|zsh|fish|powershell]

Development

Versioning

Use Conventional Commit Messages. Semantic Release will release a new version with changelog.

examples:

# increase patch version
fix: fixing tests

# incease minor version
feat: add configuration

# increase major version:
BREAKING CHANGE: increase major version of rds

# update docu
docs: update readme

aws-mfa-login's People

Contributors

Stargazers

Watchers

Forkers

aromanov-pix isabella232

aws-mfa-login's Issues

Got an "AWS region is required" error on `aws-mfa-login`

Used to work fine on the 18.05.2021. However, today (19.05) I got an error:

nikita.ko@mac ~ % aws-mfa-login        
Current configuration located in ~/.aws-mfa.yaml
#####
source: suite
destination: mfa
#####
2021/05/19 13:09:13 operation error STS: GetCallerIdentity, failed to resolve service endpoint, an AWS region is required, but was not found

Region is specified in my .aws-mfa.yaml file:

    # DEV--Area23
  - name: area23-default
    alias: dev-area23
    accountId: "123142534534"
    role: TerraformAccessRole
    region: eu-central-1

allow multiple roles for single clusters

we want to assume different roles per cluster which would look like ~/.aws-mfa.yaml so we can switch the role with kubectx suite-staging or kubectx suite-staging-debug

source: suite
destination: mfa
clusters:
  # staging
  - name: eks-staging_eu
    alias: suite-staging
    accountId: "1234567890"
    role: DeveloperAccessRole
    region: eu-central-1
  - name: eks-staging_eu
    alias: suite-staging-debug
    accountId: "1234567890"
    role: DebugAccessRole
    region: eu-central-1

by default this is not possible with cli aws eks update-kubeconfig see this issue aws/aws-cli#5413 and aws/aws-cli#4079

So this means I would need to implement aws eks update-kubeconfig completly in golang unless this is not merged

aws-mfa-login cluster setup is not working

I update to the latest version available and tried to use it.

I just tried to create an update cluster config:

#####
source: SignavioSass_dev
destination: mfa
#####
detected MFA device with serial number arn:aws:iam::291496782177:mfa/alessandro.surace
enter 6-digit MFA code: 646661

Sucessfully update access tokens for profile mfa.
Access will be valid for 11 hours. You can now your profile.

export AWS_PROFILE=mfa
> aws-mfa-login cluster setup

The kube config file is not updated.

Support for AWS China accounts

I'm trying to use aws-mfa-login with an AWS China account and get the following error:

aws-mfa-login --config ~/.aws-cn.yaml
#####
source: aws-cn
destination: aws-cn-mfa
#####
2023/10/17 12:52:36 operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: c1895db0-5866-4a35-a447-367de51b1d4f, api error InvalidClientTokenId: The security token included in the request is invalid.

The issue is rising because aws-mfa-login is trying to log in with the eu-central-1 account which is absent in AWS China.
The quick fix is to remove the hardcoded region from func (updater *CredUpdater) init() function:
https://github.com/signavio/aws-mfa-login/blob/v0.1.28/action/login.go#L43

I've checked this quick fix and it works pretty well for both aws and aws-cn accounts.

What else do you think should be taken into consideration?
As I see github.com/aws/aws-sdk-go-v2 handles different IAM partitions well and no code changes are needed here:

AWS - arn:aws:: ....
AWS China- arn:aws-cn:: ...

version mismatch of released version and `aws-mfa-login --version`

When downloading the latest v0.12 release and running a aws-mfa-login --version, it presents aws-mfa-login version 0.1.1 expecting a 0.12 here.

support arm64 architecture

newer MacOS have the M1 processor which is based on arm64. So we should support this architecture too

[rl-vulnerability_alerts-1] Violation against OSS Rules of Play

A violation against the OSS Rules of Play has been detected.

Rule ID: rl-vulnerability_alerts-1
Explanation: Are vulnerability alerts enabled? No

Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html

Deprecated client authentication v1alpha1

with kubectl client version 1.24 we get following error

error: exec plugin: invalid apiVersion "client.authentication.k8s.io/v1alpha1"

client.authentication.k8s.io/v1alpha1 has been deprecated and since kubernetes version 1.11. v1beta1 has been available since then so we safely can upgrade the client api version

see kubernetes/kubernetes#64482

This is a breaking change since user is required to update to latest aws cli version, more specific >= 1.20.9 or >= 2.2.24

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to get an update now.

chore(deps): update dependency golang to v1.22.3
chore(deps): update dependency semantic-release to v23.1.1
fix(deps): update golang dependencies (github.com/aws/aws-sdk-go-v2, github.com/aws/aws-sdk-go-v2/config, github.com/aws/aws-sdk-go-v2/credentials, github.com/aws/aws-sdk-go-v2/service/eks, github.com/aws/aws-sdk-go-v2/service/iam, github.com/aws/aws-sdk-go-v2/service/sts, github.com/fatih/color, k8s.io/client-go)

Detected dependencies

asdf

.tool-versions

golang 1.22.2

circleci

.circleci/config.yml

node 5.2.0

go 1.11.0

cimg/go 1.22

cimg/go 1.22

gomod

go.mod

go 1.22.0

go 1.22.3

github.com/aws/aws-sdk-go-v2 v1.26.1

github.com/aws/aws-sdk-go-v2/config v1.27.11

github.com/aws/aws-sdk-go-v2/credentials v1.17.11

github.com/aws/aws-sdk-go-v2/service/eks v1.42.1

github.com/aws/aws-sdk-go-v2/service/iam v1.32.0

github.com/aws/aws-sdk-go-v2/service/sts v1.28.6

github.com/aws/smithy-go v1.20.2

github.com/fatih/color v1.16.0

github.com/ghodss/yaml v1.0.0

github.com/go-ini/ini v1.67.0

github.com/mitchellh/go-homedir v1.1.0

github.com/spf13/cobra v1.8.0

github.com/spf13/viper v1.18.2

github.com/stretchr/testify v1.9.0

k8s.io/client-go v0.30.0

npm

package.json

@semantic-release/changelog 6.0.3

@semantic-release/git 10.0.1

semantic-release 23.0.8

Check this box to trigger a request for Renovate to run again on this repository

Error message for non-existing configuration file points to wrong filename

When running aws-mfa-login without a configuration file this is output:

% aws-mfa-login
2022/07/25 13:30:44 Config File ".aws-mfa" Not Found in "[/Users/asmodai]"

This should be .aws-mfa.yaml. I think it's the viper line at cmd/root.go#L61. Unsure at this point if this is a bug in aws-mfa-login's use of viper or viper itself.

Even adding viper.SetConfigType("yaml") after that line does nothing to change the output. But I am not that familiar with viper and its use, so I might be missing something.

Edit: It looks like SetConfigType is not for indicating the type of the configuration file, as in what extension, but rather how to parse the file.

support multiple source profiles

The source profile name is configured only once for all profiles

source: suite
destination: suite-mfa

But we also want to support that you can configure different source profiles for same account and cluster. This is useful when you want to authenticate as different kubernetes user in same cluster.

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: Cannot find preset's package (github>whitesource/merge-confidence:beta)

Error on 0.1.24

aws-mfa-login cluster setup
/home/-/.asdf/installs/aws-mfa-login/0.1.24/bin/aws-mfa-login: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by /home/-/.asdf/installs/aws-mfa-login/0.1.24/bin/aws-mfa-login)
/home/-/.asdf/installs/aws-mfa-login/0.1.24/bin/aws-mfa-login: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /home/-/.asdf/installs/aws-mfa-login/0.1.24/bin/aws-mfa-login)