The main concept of Awscred is to handle session token by creating a new AWS credentials file. It helps you by abstracting the process which is to generate a new session token and to share it.
Suppose we need a session token and we want to store it. The first step is to generate a session token with aws command, when you run the command it returns json-format response like below (aws doc).
$ aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token
{
"Credentials": {
"SecretAccessKey": "secret-access-key",
"SessionToken": "temporary-session-token",
"Expiration": "expiration-date-time",
"AccessKeyId": "access-key-id"
}
}After generation, you have to set session token on your AWS credentials file if you need to sharing it, or you have to export values as environment variables.
# credentials file
[defuault-mfa]
aws_access_key_id = example-access-key-as-in-returned-output
aws_secret_access_key = example-secret-access-key-as-in-returned-output
aws_session_token = example-session-Token-as-in-returned-outputIt is very complicated and also it is a toil because you have to do same process when session token is expired.
Awscred makes you can handle session token without these complicated steps. What is you have to prepare is setting the serial number of IAM user, and after this setting you don’t need to put the serial number anymore because it’s stored at the config file of Awscred.
$ awscred set --on --serial SERIAL After configuration, let’s generate session token.
$ awscred gen --code CODE
$ $(awscred export)Awscred will set session token on the credentials file of Awscred (not AWS) automatically.
You can get some benefits by using Awscred. The best thing is it doesn’t intrude your AWS credentials. In above example, you have to set session token with new profile(default-mfa) on AWS credentials to share it, but Awscred set session token with the same profile so you don’t need to change your profile 🙂. And Awscred copies access keys of other profiles on the Awscred credentials file so that there’s no side effect to replace credentials file.
Download and Install in Linux
$ curl -L https://github.com/hanjunlee/awscred/releases/latest/download/awscred_linux_amd64.tar.gz | tar zx
$ sudo install -t /usr/local/bin awscredDownload and Install in OSX
$ curl -L https://github.com/hanjunlee/awscred/releases/latest/download/awscred_darwin_amd64.tar.gz | tar zx
$ sudo cp awscred /usr/local/binOr Install in OSX by using Brew
$ brew tap hanjunlee/awscred
$ brew install awscredTBD
- Run a new daemon - It creates a new daemon which reflect a session token on new credentials.
$ awscred run- Configure the profile - It configures the serial number and the duration. These values are used as options to generate a session token.
# set up the configuration
$ awscred set --on --serial arn:aws:iam::XXXXXXXX:mfa/USER PROFILE
$ awscred info
NAME ON SERIAL DURATION EXPIRED
PROFILE true arn:aws:iam::XXXXXXXX:mfa/USER PROFILE 43200 0001-01-01T00:00:00Z
...- Generate a new session token
# generate a new session token
$ awscred gen --code XXXXXX PROFILE
$ awscred info
NAME ON SERIAL DURATION EXPIRED
PROFILE true arn:aws:iam::XXXXXXXX:mfa/USER PROFILE 43200 2020-08-22T23:43:50Z (10.9h)
...- Set
AWS_SHARED_CREDENTIALS_FILEenvironment variable - By set the environment of shared credentials file Awscredcredentialsfile,awscommand use the new credentials file.
$(awscred export)- Terminate
# terminate the daemon
$ awscred terminate
$ unset AWS_SHARED_CREDENTIALS_FILE