Last active
March 17, 2016 09:14
-
-
Save ryo0301/143598a2d05d90b6201b to your computer and use it in GitHub Desktop.
MacからAWSにアクセスする時はAssumeRoleすることにした ref: http://qiita.com/ryo0301/items/0730e4b1068707a37c31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| begin | |
| require 'aws-sdk-core' | |
| rescue LoadError | |
| else | |
| # aws.rb may already have been initialized | |
| Aws.config[:region] ||= 'ap-northeast-1' | |
| Pry::Commands.import(Pry::CommandSet.new { | |
| block_command 'aws-assume-role' do |role_name, external_id, token_code| | |
| system "~/bin/aws-assume-role #{role_name} #{external_id} #{token_code}" | |
| end | |
| }) | |
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "sts:AssumeRole" | |
| ], | |
| "Resource": [ | |
| "arn:aws:iam::XXXXXXXXXXXX:role/read-only", | |
| "arn:aws:iam::XXXXXXXXXXXX:role/power-user" | |
| ] | |
| } | |
| ] | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| set -e | |
| role_name=$1 | |
| external_id=$2 | |
| token_code=$3 | |
| profile=$role_name | |
| cmd="aws sts assume-role" | |
| cmd="$cmd --role-arn arn:aws:iam::XXXXXXXXXXXX:role/$role_name" | |
| cmd="$cmd --role-session-name in-office" | |
| cmd="$cmd --external-id $external_id" | |
| if [ -n "$token_code" ]; then | |
| cmd="$cmd --serial-number arn:aws:iam::XXXXXXXXXXXX:mfa/my-user" | |
| cmd="$cmd --token-code $token_code" | |
| fi | |
| creds=$($cmd) | |
| access_key_id=$(echo $creds | jq --raw-output .Credentials.AccessKeyId) | |
| secret_access_key=$(echo $creds | jq --raw-output .Credentials.SecretAccessKey) | |
| session_token=$(echo $creds | jq --raw-output .Credentials.SessionToken) | |
| aws configure set region ap-northeast-1 --profile $profile | |
| aws configure set aws_access_key_id $access_key_id --profile $profile | |
| aws configure set aws_secret_access_key $secret_access_key --profile $profile | |
| aws configure set aws_session_token $session_token --profile $profile | |
| aws configure list --profile $profile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Principal": { | |
| "AWS": [ | |
| "arn:aws:iam::XXXXXXXXXXXX:user/my-user" | |
| ] | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Principal": { | |
| "AWS": [ | |
| "arn:aws:iam::XXXXXXXXXXXX:user/my-user" | |
| ] | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ aws sts assume-role \ | |
| > --role-arn arn:aws:iam::XXXXXXXXXXXX:role/power-user \ | |
| > --role-session-name in-office \ | |
| > --external-id hogehoge \ | |
| > --serial-number arn:aws:iam::XXXXXXXXXXXX:mfa/my-user \ | |
| > --token-code XXXXXX | |
| { | |
| "AssumedRoleUser": { | |
| "AssumedRoleId": "XXXXXXXXXXXXXXXXXXXXX:in-office", | |
| "Arn": "arn:aws:sts::XXXXXXXXXXXX:assumed-role/power-user/in-office" | |
| }, | |
| "Credentials": { | |
| "SecretAccessKey": "XXXXXXXXXX...", | |
| "SessionToken": "XXXXXXXXXX...", | |
| "Expiration": "2015-01-22T03:16:56Z", | |
| "AccessKeyId": "XXXXXXXXXXXXXXXXXXXX" | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ aws-assume-role power-user hogehoge XXXXXX | |
| Name Value Type Location | |
| ---- ----- ---- -------- | |
| profile power-user manual --profile | |
| access_key ****************XXXX shared-credentials-file | |
| secret_key ****************XXXX shared-credentials-file | |
| region ap-northeast-1 config-file ~/.aws/config | |
| $ aws ec2 describe-regions --profile power-user | |
| $ aws-assume-role read-only hogehoge | |
| Name Value Type Location | |
| ---- ----- ---- -------- | |
| profile read-only manual --profile | |
| access_key ****************XXXX shared-credentials-file | |
| secret_key ****************XXXX shared-credentials-file | |
| region ap-northeast-1 config-file ~/.aws/config | |
| $ aws ec2 describe-regions --profile read-only |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ aws.rb --region ap-northeast-1 | |
| Aws> assumed_role = Aws::AssumeRoleCredentials.new( | |
| Aws| role_arn: 'arn:aws:iam::XXXXXXXXXXXX:role/power-user', | |
| Aws| role_session_name: 'in-office', | |
| Aws| external_id: 'hogehoge', | |
| Aws| serial_number: 'arn:aws:iam::XXXXXXXXXXXX:mfa/my-user', | |
| Aws| token_code: 'XXXXXX' | |
| Aws| ) | |
| Aws> assumed_role.credentials.access_key_id | |
| "XXXXXXXXXXXXXXXXXXXX" | |
| Aws> assumed_role.credentials.secret_access_key | |
| "XXXXXXXXXX..." | |
| Aws> assumed_role.credentials.session_token | |
| "XXXXXXXXXX..." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ aws-assume-role power-user hogehoge XXXXXX | |
| Name Value Type Location | |
| ---- ----- ---- -------- | |
| profile power-user manual --profile | |
| access_key ****************XXXX shared-credentials-file | |
| secret_key ****************XXXX shared-credentials-file | |
| region ap-northeast-1 config-file ~/.aws/config | |
| $ aws ec2 describe-regions --profile power-user | |
| $ aws-assume-role read-only hogehoge | |
| Name Value Type Location | |
| ---- ----- ---- -------- | |
| profile read-only manual --profile | |
| access_key ****************XXXX shared-credentials-file | |
| secret_key ****************XXXX shared-credentials-file | |
| region ap-northeast-1 config-file ~/.aws/config | |
| $ aws ec2 describe-regions --profile read-only |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ aws.rb --region ap-northeast-1 | |
| Aws> assumed_role = Aws::AssumeRoleCredentials.new( | |
| Aws| role_arn: 'arn:aws:iam::XXXXXXXXXXXX:role/power-user', | |
| Aws| role_session_name: 'in-office', | |
| Aws| external_id: 'hogehoge', | |
| Aws| serial_number: 'arn:aws:iam::XXXXXXXXXXXX:mfa/my-user', | |
| Aws| token_code: 'XXXXXX' | |
| Aws| ) | |
| Aws> assumed_role.credentials.access_key_id | |
| "XXXXXXXXXXXXXXXXXXXX" | |
| Aws> assumed_role.credentials.secret_access_key | |
| "XXXXXXXXXX..." | |
| Aws> assumed_role.credentials.session_token | |
| "XXXXXXXXXX..." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ aws.rb --region ap-northeast-1 | |
| Aws> aws-assume-role power-user hogehoge XXXXXX | |
| Name Value Type Location | |
| ---- ----- ---- -------- | |
| profile power-user manual --profile | |
| access_key ****************XXXX shared-credentials-file | |
| secret_key ****************XXXX shared-credentials-file | |
| region ap-northeast-1 config-file ~/.aws/config | |
| Aws> ec2 = Aws::EC2::Client.new profile: 'power-user' | |
| #<Aws::EC2::Client> | |
| Aws> ec2.describe_regions.regions[0] | |
| [Aws::EC2::Client 200 0.119853 0 retries] describe_regions() | |
| { | |
| :region_name => "eu-central-1", | |
| :endpoint => "ec2.eu-central-1.amazonaws.com" | |
| } | |
| Aws> aws-assume-role read-only hogehoge | |
| Name Value Type Location | |
| ---- ----- ---- -------- | |
| profile read-only manual --profile | |
| access_key ****************XXXX shared-credentials-file | |
| secret_key ****************XXXX shared-credentials-file | |
| region ap-northeast-1 config-file ~/.aws/config | |
| Aws> ec2 = Aws::EC2::Client.new profile: 'read-only' | |
| #<Aws::EC2::Client> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ aws.rb --region ap-northeast-1 | |
| Aws> aws-assume-role power-user hogehoge XXXXXX | |
| Name Value Type Location | |
| ---- ----- ---- -------- | |
| profile power-user manual --profile | |
| access_key ****************XXXX shared-credentials-file | |
| secret_key ****************XXXX shared-credentials-file | |
| region ap-northeast-1 config-file ~/.aws/config | |
| Aws> ec2 = Aws::EC2::Client.new profile: 'power-user' | |
| #<Aws::EC2::Client> | |
| Aws> ec2.describe_regions.regions[0] | |
| [Aws::EC2::Client 200 0.119853 0 retries] describe_regions() | |
| { | |
| :region_name => "eu-central-1", | |
| :endpoint => "ec2.eu-central-1.amazonaws.com" | |
| } | |
| Aws> aws-assume-role read-only hogehoge | |
| Name Value Type Location | |
| ---- ----- ---- -------- | |
| profile read-only manual --profile | |
| access_key ****************XXXX shared-credentials-file | |
| secret_key ****************XXXX shared-credentials-file | |
| region ap-northeast-1 config-file ~/.aws/config | |
| Aws> ec2 = Aws::EC2::Client.new profile: 'read-only' | |
| #<Aws::EC2::Client> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "AWS": "arn:aws:iam::XXXXXXXXXXXX:root" | |
| }, | |
| "Action": "sts:AssumeRole", | |
| "Condition": { | |
| "StringEquals": { | |
| "sts:ExternalId": "hogehoge" | |
| }, | |
| "Bool": { | |
| "aws:MultiFactorAuthPresent": true | |
| } | |
| } | |
| } | |
| ] | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # In ~/.aws/credentials: | |
| [development] | |
| aws_access_key_id = foo | |
| aws_access_key_id = bar | |
| # In ~/.aws/config | |
| [profile crossaccount] | |
| role_arn = arn:aws:iam:... | |
| source_profile = development |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment