Crates.io | aws-login |
lib.rs | aws-login |
version | 1.2.2 |
source | src |
created_at | 2021-12-30 05:37:31.802862 |
updated_at | 2022-05-28 22:20:48.779039 |
description | A command line utility to simplify logging into AWS accounts and services. |
homepage | https://github.com/kherge/rs.aws-login |
repository | https://github.com/kherge/rs.aws-login/ |
max_upload_size | |
id | 505194 |
size | 531,785 |
A command line utility to simplify logging into AWS accounts and services.
$ aws-login use
? Please select a profile to use: ›
❯ dev-read
dev-write
$ echo $AWS_PROFILE
dev-read
$ aws-login use --profile dev-write
$ echo $AWS_PROFILE
dev-write
unzip -j aws-login_linux_amd64.zip
aws-login
executable.
chmod 755 aws-login
aws-login
to somewhere in your $PATH
.aws-login shell install -s $SHELL
, where $SHELL
is your supported shell.
aws-login shell --help
for a list of supported shells.On more recent versions of macOS, Gatekeeper will block your attempt to run the application because it is not signed with an Apple Developer certificate. Please see this guide on how to work around this issue.
Before we dive into using the application, you need to be aware of how profiles work with the AWS CLI. The official AWS CLI supports the use of profiles so that information such as accounts, roles, and preferences are remembered. This saves you from having to provide that information each time you want to do something.
The aws-login
utility attempts to take full advantage of AWS CLI profiles. When "active AWS CLI profile" is mentioned, it means one of two things:
AWS_PROFILE
environment variable.By default, everything you do with aws-login
will use the profile found in one of the places mentioned above and in the order they are listed. However, like AWS CLI, you can change the profile you are working with by using the --profile
option.
aws-login ecr
This subcommand will configure Docker to use the Elastic Container Registry in the AWS account for your active AWS CLI profile. If the region for your ECR differs from the default region configured for your profile, remember to specify it with the --region
option.
kubectl
to use EKSaws-login eks
This subcommand will prompt you to choose an EKS cluster from a list found in the AWS account for your active AWS CLI profile. Once a selection is made, the configuration for kubectl
is updated to support connecting to that EKS cluster. Remember to log in before attempting to do so, fresh credentials may be required.
aws-login rds $USERNAME
This subcommand will prompt you to choose an RDS Proxy from a list found in the AWS account for your active AWS CLI profile. Once a selection is made, the database authentication token will be generated for you to use in your preferred database client.
It is important to note that generating a token will almost always succeed, even if you do not have permission to access the RDS Proxy endpoint. If authentication fails, you will want to check a few things:
- Make sure your TLS settings match.
- Make sure you are using the correct AWS CLI profile.
- Make sure your role has the IAM
rds-db:connect
permission.
aws-login sso
This subcommand will use the AWS SSO portal settings in your active AWS CLI profile for authentication. If the required settings are missing, you will be prompted to provide them before authentication can proceed.
aws-login use
This subcommand will prompt you to selected from a list of existing AWS CLI profiles and available profile templates. If a profile template is selected and a corresponding AWS CLI profile does not already exist, it will be automatically configured using the template. Once a selection has been made, the shell environment is modified to make it the active AWS CLI profile for the duration of the shell session.
The use
subcommand does not simply offer you the ability to select existing AWS CLI profiles, but also offers the ability to use profile templates to configure new AWS CLI profiles. These templates are stored in JSON file called templates.json
(found in ~/.config/aws-login/
or %APPDATA\Roaming\AWS Login\
).
This is what a collection of profile templates looks like:
{
"base": {
"enabled": false,
"settings": {
"output": "json",
"region": "us-east-1",
"sso_region": "us-east-1",
"sso_start_url": "https://my-sso-portal.awsapps.com/start"
}
},
"dev-read": {
"extends": "base",
"settings": {
"sso_account_id": 123456789012,
"sso_role_name": "ReadOnly"
}
},
"dev-write": {
"extends": "dev-read",
"settings": {
"sso_role_name": "Developer"
}
}
}
The base
profile template serves as the foundation for other templates to build upon. It provides some common settings such as where the SSO portal is located. Because this is not a fully configured profile, and is intended to be used by other templates, enabled
is set to false
so that it is not listed as an option to select from when aws-login use
is run.
The dev-read
profile template uses the base
template by specifying it under the extends
key, and adds its own SSO settings that make it ready to be used for authentication. If dev-read
provided its own region
, it would override the region
set by the base profile.
The dev-write
profile template demonstrates that your profile dependency tree can go as deep as you need. In this template, we re-use all of the settings from dev-read
(and consequently, base
) but override the sso_role_name
we want to use.
Here is an example scenario:
You are a new hire at a company that hosts all of their services in AWS. As part of the onboarding process, you work on setting up your workstation so that you can use AWS CLI to interact with the cloud environment. Instead of asking around, searching Confluence/Sharepoint/etc, or figuring it out on your own, you install aws-login
and run the pull
subcommand with a URL you were provided.
You now have immediate access to various AWS accounts and services.
You may want to familiarize yourself with this first: Setting up and activating AWS CLI profiles
aws-login pull https://www.example.com/path/to/templates.json
This subcommand will download a remote profile templates file and store a copy for later use. If a local templates file already exists, you will be asked if you would like to merge with the existing file or replace it.