assume-role-arn

assume-role-arn is a simple golang binary that can be used as an aws --profile alternative or in CI/CD pipelines, so you don't need any external dependencies while assuming cross-account roles from your environment. No need to install python/awscli and jq.

Main features

• no need to setup awscli profiles
• no dependencies, released as binary
• ability to execute in-line commands
• supports external id
• supports source profile in shared credentials files
• made with ❤️ in Nordcloud

Usage

$ eval $(assume-role-arn -r <role_arn>)
$ aws sts get-caller-identity

or

$ assume-role-arn -r <role_arn> aws sts get-caller-identity

Available flags:

• -r role_arn - required, role ARN
• -e external_id - optional, if you need to specify external id
• -n role_session_name - probably you don't need this
• -m mfa_serial - optional, the ARN of MFA virtual device
• -mfatoken token - optional, the MFA token
• -profile profile_name - the name of AWS profile (from $HOME/.aws/config)
• -ignoreCache - ignore the credentials stored in the cache
• -skipCache - skip the credential cache
• -envprefix - add prefix to exported environmental variables (default: "")
• -h - help

CI/CD pipeline example

Let's say we have three AWS accounts:

• iam
• stg
• prod

You have your IAM deployment user only on iam account, but it can assume cross-account roles in prod and stg accounts. Make sure you have your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY exported in your pipeline's env variables.

Go to Releases and select binary from the last release you want to use. For v0.2 and linux it would be https://github.com/nordcloud/assume-role-arn/releases/download/v0.2/assume-role-arn-linux

Add following steps in the beginning of your deployment script:

curl https://github.com/nordcloud/assume-role-arn/releases/download/v0.2/assume-role-arn-linux -o /usr/local/bin/assume-role-arn
chmod +x /usr/local/bin/assume-role-arn

eval $(assume-role-arn -r arn:aws:iam::ACCOUNT_NUMBER_STG:role/Deployment)

Please adjust output path of curl command and role ARN according to your needs.

Now you should be able to execute AWS-related commands with your assumed role.

MFA

If your account is secured with MFA (multi-factor authentication) then you have to provide the ARN of MFA device and the token:

eval $(assume-role-arn -r arn:aws:iam:ACCOUNT_NUMBER_STG:role/Role -m arn:aws:iam::ACCOUNT:mfa/MFA_ID -mfatoken MFATOKEN)

AWS Profile

You can put the role name, external id, and the mfa serial device to the profile in $HOME/.aws/config

[profile Dev]
role_arn = arn:aws:iam::123456789:role/Role
source_profile = dev
region = eu-west-1
mfa_serial = arn:aws:iam::987654321:mfa/[email protected]

with that defined profile, you can run any command that required AWS credentials (even with MFA) by running

assume-role-arn-linux -profile Dev aws s3 ls

powerlevel10k prompt

The binary outputs credentials origins as environment variables:

• AWS_PROFILE_NAME
• AWS_ACCOUNT_ID
• AWS_ROLE_NAME

Which can be used to build custom prompt for p10k.

Put below code in ~/.p10k.zsh file.

function prompt_assume_role_arn() {
    if [[ -n $AWS_PROFILE_NAME ]]; then
        local display_text=$AWS_PROFILE_NAME
    elif [[ -n $AWS_ACCOUNT_ID && -n $AWS_ROLE_NAME ]]; then
        local display_text="$AWS_ACCOUNT_ID ($AWS_ROLE_NAME)"
    fi

    [[ -n $display_text ]] || return

    p10k segment -i '' -t $display_text
}

Now you can reference your custom promp in config:

  typeset -g POWERLEVEL9K_RIGHT_PROMPT_ELEMENTS=(
      status
      command_execution_time
      ...
      assume_role_arn
      ...
      time
  )

To style it use powerlevel variables

Example screenshot

Authors

• Jakub Woźniak, Nordcloud 🇵🇱