Skip to content
This repository has been archived by the owner on Jul 31, 2023. It is now read-only.

Commit

Permalink
Add flag to specify role for all org accounts (#13)
Browse files Browse the repository at this point in the history
* Add flag to specify role for all org accounts

* Update README.md
  • Loading branch information
bemica authored May 5, 2021
1 parent 6c8e52a commit 5d3d224
Show file tree
Hide file tree
Showing 5 changed files with 28 additions and 5 deletions.
5 changes: 5 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,13 @@ OPTIONAL
--keep-custom-config=true Retains any custom profiles or settings. Set to false to remove everything
except the source profile and generated config
--use-role-name-in-profile=false Append the role name to the profile name
--role=STRING If set, then a profile with this role will be generated for every account in the organization, in addition to the roles that the user has permissions to assume
```

Note: When using the `--role` flag we do not check to see if the user has permission to assume that role. This is useful
if the user has a policy that allows them e.g. `sts:AssumeRole` on resource `*` and the target accounts
manage who is allowed to assume various roles.

### aws-extend-switch-roles

Run `aws-vault exec default -- ./aws-cfg-generator switch-roles --output-file=output.ini`, then copy/paste it into your aws-extend-switch-roles settings page.
Expand Down
3 changes: 2 additions & 1 deletion pkg/cmd/cli.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,6 @@ package cmd
type CLI struct {
Vault VaultCmd `cmd help:"generates a config for aws-vault"`
SwitchRoles SwitchRolesCmd `cmd help:"generates a config for aws-extend-switch-roles"`
Debug bool `help:"set the log level to debug" default:false`
Debug bool `help:"set the log level to debug" default:"false"`
Role string `help:"If set, then a profile with this role will be generated for every account in the organization, in addition to the roles that the user has permissions to assume"`
}
2 changes: 1 addition & 1 deletion pkg/cmd/switch_roles.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ type SwitchRolesCmd struct {
}

func (swc *SwitchRolesCmd) Run(cli *CLI) error {
roleArns, accountMap := util.GetAWSContext().GetRolesAndAccounts()
roleArns, accountMap := util.GetAWSContext().GetRolesAndAccounts(cli.Role)
generateSwitchRolesProfile(accountMap, roleArns, cli.SwitchRoles)

return nil
Expand Down
2 changes: 1 addition & 1 deletion pkg/cmd/vault.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ type VaultCmd struct {
}

func (vc *VaultCmd) Run(cli *CLI) error {
roleArns, accountMap := util.GetAWSContext().GetRolesAndAccounts()
roleArns, accountMap := util.GetAWSContext().GetRolesAndAccounts(cli.Role)
generateVaultProfile(accountMap, roleArns, cli.Vault)

return nil
Expand Down
21 changes: 19 additions & 2 deletions pkg/util/aws.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,17 @@ func GetAWSContext() (client *AWSContext) {
}
}

func (ctx *AWSContext) GetRolesAndAccounts() (roleArns []string, accountMap map[string]string) {
func generateOrgRoleArns(accountMap map[string]string, role string) []string {
var roles []string

for accountId := range accountMap {
roles = append(roles, fmt.Sprintf("arn:aws:iam::%s:role/%s", accountId, role))
}

return roles
}

func (ctx *AWSContext) GetRolesAndAccounts(role string) (roleArns []string, accountMap map[string]string) {
cRoles := make(chan []string)
cAccount := make(chan map[string]string)

Expand All @@ -68,8 +78,15 @@ func (ctx *AWSContext) GetRolesAndAccounts() (roleArns []string, accountMap map[
cAccount <- ctx.getAccountNames()
}()

roleArns = <-cRoles
accountMap = <-cAccount
close(cAccount)

if role != "" {
roleArns = generateOrgRoleArns(accountMap, role)
}

roleArns = append(roleArns, <-cRoles...)
close(cRoles)

return
}
Expand Down

0 comments on commit 5d3d224

Please sign in to comment.