Temporary credentials, made easy

2020-03-06

I started to write this post almost a year ago but for some reason I never finished it.
I have been using the small tooling, easy-aws-credentials (EAC), since I started the post.
Now finally I decided that it was time to clean up the tool, release it, and finish the post.

Start of the tool

I started develop the tools since I needed a easy and clean way to handle my different AWS profiles and a way to create temporary credentials super easy. My profiles was a mix of cross account roles to assume, IAM user credentials with MFA requirements, where I needed session tokens to be able to work smoothly. In both cases I needed to exchange the locked down, secured, long lived credentials for short lived temporary credentials, which in almost all my cases needed to be fetched using MFA.

The AWS CLI give some support out of the box, it will assume the cross account roles but there is no simple way to automatically get session tokens for the IAM users that require MFA.

This led to that I hade to remember which profiles I needed session tokens for and which was roles to be assumed. Therefor I started to create the easy-aws-credentials (EAC) to help out. It has been working great for me so far and made my life easier.

AWS credentials and config

EAC uses the normal AWS configuration and credentials files, with some additions.
These files are normally located in ~/.aws/ folder and are named config and credentials.

Assuming a role

Let's start by creating a profile with a role to assume that uses credentials from a different profile.

[profile role-with-mfa]
output=json
region=eu-west-1
role_arn=arn:aws:iam::123456789011:role/cross-account
source_profile=cross-account-creds
mfa_serial=arn:aws:iam::987654321123:mfa/iam-user

Here the role_arn is the ARN to the role we like to assume. This can be an role in our own account or a role in a different account, that really doesn't matter.
In this example we use the credentials from source_profile when assuming the role. Assuming the role requires MFA so in the config we add the mfa_serial. EAC will automatically ask for the MFA token code.

In the credentials file we add the following.

[cross-account-creds]
aws_access_key_id = HDFGJASGDASGDJHAGDJHAS
aws_secret_access_key = n4h7d3/jhdjmhkjashd/hdshdksahdkjlsa

And no, the credentials are fake so don't try and use them ;)

When we now run AEC it will fetch the credentials, it will ask for MFA token, and it will assume the role. If you specify a profile where to store the credentials AEC will do that as well, that profile you specify when running the command. Next version will have a destination_profile in the configuration as well.

So far what we have done the CLI would do the same for us, except for storing the temporary credentials. I find this highly useful since I can load different profiles easy in different windows.

Session token from profile

This scenario is a bit different, here we don't have a role that we like to assume. Instead MFA has been set as an requirement on the role assign to the IAM user. Once again we need to create a profile and credentials section for that.

[profile iam-user-with-mfa]
output=json
region=eu-west-1
mfa_serial=arn:aws:iam::987654321123:mfa/iam-user

In this profile we remove most parts except the mfa_serial that we still need. That indicates to EAC that it should ask for MFA token when being run.

[iam-user-with-mfa]
aws_access_key_id = HDFGJASGDASGDJHAGDJHAS
aws_secret_access_key = n4h7d3/jhdjmhkjashd/hdshdksahdkjlsa

And still no, the credentials are fake so don't try and use them ;)

In the credentials file we put our long lived credentials that we now like to exchange for short lived temporary credentials with MFA.
AEC will start be calling AWS STS to get session tokens. The MFA will be used to secure everything. And if a destination profile has been specified the credentials will be stored under that profile.

This now enables that the developer to use the CLI smoothly. This is a functionality that the CLI don't offerout of the box.

So why this tool then?

I have been working with different clients that use different ways to secure the CLI credentials. Some work with assuming roles with MFA, others just set an MFA requirement on the IAM user role.
I got tired of remembering which was used for what client. I just wanted one simple way to do this. EAC was born.

Security then?

We could probably debate which of the two ways to protect the credentials that is most secure, best practice, and recommended. For some clients I can't choose, they have already everything setup and this is the way they work. Sometimes you just have to accept that.

But what is important is that in both of the cases the long lived CLI credentials are protected by MFA. To me that is the most important thing.

EAC is open source

The tool is open source and free for anyone to use, modify, extend, do what you want. If you do any cool change contribute it back for others to use.
You find it on GitHub here: easy-aws-credentials (EAC)

There will be more features coming, so stay tuned!