# aws-assume-role-rs

This provides `assume-role` command to generate AWS temporary security credentials.

# Installation

```console
$ cargo binstall aws-assume-role-rs
```

or

```console
$ cargo install aws-assume-role-rs
```

# How to use

## Command line options

```console
$ assume-role --help
A command line tool to generate AWS temporary security credentials.

Usage: assume-role [OPTIONS] <--totp-secret <TOTP_SECRET>|--totp-code <TOTP_CODE>> [ARGS]...

Arguments:
  [ARGS]...  Commands to execute

Options:
      --aws-profile <AWS_PROFILE>      AWS profile name in AWS_CONFIG_FILE. This option is used to detect jump account information [env: AWS_PROFILE=]
  -p, --profile-name <PROFILE_NAME>    The profile name
  -r, --role-arn <ROLE_ARN>            The IAM Role ARN to assume [env: ROLE_ARN=]
  -c, --config <CONFIG>                The config file. default: $HOME/.aws/config.toml
                                       Load the first of the following files found:
                                         1. the file specified by this option
                                         2. $HOME/.aws/config.toml
                                         3. $HOME/.aws/config
  -d, --duration <DURATION>            The duration in seconds of the role session. (900-43200)
                                       The following suffixes are available:
                                         "s": seconds
                                         "m": minutes
                                         "h": hours
                                       No suffix means seconds. [default: 1h]
  -n, --serial-number <SERIAL_NUMBER>  MFA device ARN such as arn:aws:iam::123456789012/mfa/user [env: SERIAL_NUMBER=]
  -s, --totp-secret <TOTP_SECRET>      The base32 format TOTP secret [env: TOTP_SECRET=]
  -t, --totp-code <TOTP_CODE>          The TOTP code generated by other tool [env: TOTP_CODE=]
  -f, --format <FORMAT>                Output format [possible values: json, bash, zsh, fish, power-shell]
  -v, --verbose                        Print verbose logs
  -h, --help                           Print help
  -V, --version                        Print version
```

### The priority to find role ARN

1. `--role-arn` option
1. Find by `--profile-name` option from a configuration file
1. Select role ARN from a list loaded from a configuration file in an interactive UI

### The priority of configuration files

1. `--config` option
1. `$HOME/.aws/config.toml`
1. `$HOME/.aws/config`

### The priority to find jump account

Such as AWS credentials, serial number, and, TOTP secrets.

1. Environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `SERIAL_NUMBER`, `TOTP_SECRET`)
1. INI format file specified by `--config` option and `--aws-profile` option
1. Load credentials according to aws_config's default rule

## Set up

Create $HOME/.aws/config.toml:

```toml
[profile.test]
role_arn = "arn:aws:iam::123456789012:role/Developer"

[profile.test-admin]
role_arn = "arn:aws:iam::123456789012:role/PowerUserRole"

[profile.production-viewer]
role_arn = "arn:aws:iam::123456789876:role/Viewer"

[profile.production-maintainer]
role_arn = "arn:aws:iam::123456789876:role/Maintainer"
```

The TOML format only supports sections with the key role_arn.

or create $HOME/.aws/config:

```ini
[profile jump]
region = ap-northeast-1
serial_number = arn:aws:iam::987654321234:mfa/serialnumber

[profile jump2]
region = ap-northeast-1

[profile test]
role_arn = arn:aws:iam::123456789012:role/Developer

[profile test-admin]
role_arn = arn:aws:iam::123456789012:role/PowerUserRole

[profile production-viewer]
role_arn = arn:aws:iam::123456789876:role/Viewer

[profile production-maintainer]
role_arn = arn:aws:iam::123456789876:role/Maintainer
```

The INI file format ignores all sections that do not have property `role_arn` to find `role_arn`.

## Interactive mode

Set environment variables `SERIAL_NUMBER` and `TOTP_SECRET`.
Or, you can set `--serial-number` and `--totp-secret`.

You can select the profile interactively in your configuration file.

```console
$ env AWS_PROFILE=jump SERIAL_NUMBER="..." TOTP_SECRET="..." assume-role aws s3 ls
# same as the avobe using command line options
$ env AWS_PROFILE=jump assume-role --serial-number "..." --totp-secret "..." aws s3 ls
```

You can set `TOTP_CODE` generated by other tool via command line option (`--totp-code`) or environment variable (`TOTP_CODE`) instead of `TOTP_SECRET`.

```console
$ env AWS_PROFILE=jump SERIAL_NUMBER="..." TOTP_CODE="..." assume-role aws s3 ls
# same as the avobe using command line options
$ env AWS_PROIFLE=jump assume-role --serial-number="..." --totp-code="..." assume-role aws s3 ls
```

## Non-interactive mode

You can use `--profile` option to specify role ARN.

```console
$ AWS_PROFILE=jump assume-role --profile-name test --totp-secret "..." aws s3 ls
or
$ assume-role --aws-profile=jump --profile-name=test --totp-code=123456 aws s3 ls
```

You can use `--role-arn` option to specify role ARN directly.

```console
$ AWS_PROFILE=jump2 assume-role --role-arn arn:aws:iam::123456789012:role/Developer --serial-number "..." --totp-secret "..." aws s3 ls
```

## Use with envchain

Your can use this assume-role command with [sorah/envchain](https://github.com/sorah/envchain) or [okkez/envchain-rs](https://github.com/okkez/envchain-rs).

Store secrets in secret service or keychain.

```console
$ envchain --set jump AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_REGION SERIAL_NUMBER TOTP_SECRET
# ... input secret values
$ envchain jump assume-role -p test-admin aws s3 ls
```

## Set environment variables

You can set environment variables.

- `AWS_ACCESS_KEY_ID`
- `AWS_SECRET_ACCESS_KEY`
- `AWS_SESSION_TOKEN`
- `AWS_EXPIRATION`

### Bash

```bash
eval $(envchain jump -p test-admin --format bash)
```

### Zsh

```zsh
eval $(envchain jump -p test-admin --format zsh)
```

### Fish

```fish
eval (envchain jump -p test-admin --format fish)
```

# License

MIT License