diff --git a/README.md b/README.md index 3e20d40..34889f9 100644 --- a/README.md +++ b/README.md @@ -88,8 +88,13 @@ OPTIONAL --keep-custom-config=true Retains any custom profiles or settings. Set to false to remove everything except the source profile and generated config --use-role-name-in-profile=false Append the role name to the profile name +--role=STRING If set, then a profile with this role will be generated for every account in the organization, in addition to the roles that the user has permissions to assume ``` +Note: When using the `--role` flag we do not check to see if the user has permission to assume that role. This is useful +if the user has a policy that allows them e.g. `sts:AssumeRole` on resource `*` and the target accounts +manage who is allowed to assume various roles. + ### aws-extend-switch-roles Run `aws-vault exec default -- ./aws-cfg-generator switch-roles --output-file=output.ini`, then copy/paste it into your aws-extend-switch-roles settings page. diff --git a/pkg/cmd/cli.go b/pkg/cmd/cli.go index 758f8c2..92afc03 100644 --- a/pkg/cmd/cli.go +++ b/pkg/cmd/cli.go @@ -17,5 +17,6 @@ package cmd type CLI struct { Vault VaultCmd `cmd help:"generates a config for aws-vault"` SwitchRoles SwitchRolesCmd `cmd help:"generates a config for aws-extend-switch-roles"` - Debug bool `help:"set the log level to debug" default:false` + Debug bool `help:"set the log level to debug" default:"false"` + Role string `help:"If set, then a profile with this role will be generated for every account in the organization, in addition to the roles that the user has permissions to assume"` } diff --git a/pkg/cmd/switch_roles.go b/pkg/cmd/switch_roles.go index 31f36bb..2e6603d 100644 --- a/pkg/cmd/switch_roles.go +++ b/pkg/cmd/switch_roles.go @@ -27,7 +27,7 @@ type SwitchRolesCmd struct { } func (swc *SwitchRolesCmd) Run(cli *CLI) error { - roleArns, accountMap := util.GetAWSContext().GetRolesAndAccounts() + roleArns, accountMap := util.GetAWSContext().GetRolesAndAccounts(cli.Role) generateSwitchRolesProfile(accountMap, roleArns, cli.SwitchRoles) return nil diff --git a/pkg/cmd/vault.go b/pkg/cmd/vault.go index a39c4f5..93391e5 100644 --- a/pkg/cmd/vault.go +++ b/pkg/cmd/vault.go @@ -31,7 +31,7 @@ type VaultCmd struct { } func (vc *VaultCmd) Run(cli *CLI) error { - roleArns, accountMap := util.GetAWSContext().GetRolesAndAccounts() + roleArns, accountMap := util.GetAWSContext().GetRolesAndAccounts(cli.Role) generateVaultProfile(accountMap, roleArns, cli.Vault) return nil diff --git a/pkg/util/aws.go b/pkg/util/aws.go index 6daba51..5f4c5bb 100644 --- a/pkg/util/aws.go +++ b/pkg/util/aws.go @@ -56,7 +56,17 @@ func GetAWSContext() (client *AWSContext) { } } -func (ctx *AWSContext) GetRolesAndAccounts() (roleArns []string, accountMap map[string]string) { +func generateOrgRoleArns(accountMap map[string]string, role string) []string { + var roles []string + + for accountId := range accountMap { + roles = append(roles, fmt.Sprintf("arn:aws:iam::%s:role/%s", accountId, role)) + } + + return roles +} + +func (ctx *AWSContext) GetRolesAndAccounts(role string) (roleArns []string, accountMap map[string]string) { cRoles := make(chan []string) cAccount := make(chan map[string]string) @@ -68,8 +78,15 @@ func (ctx *AWSContext) GetRolesAndAccounts() (roleArns []string, accountMap map[ cAccount <- ctx.getAccountNames() }() - roleArns = <-cRoles accountMap = <-cAccount + close(cAccount) + + if role != "" { + roleArns = generateOrgRoleArns(accountMap, role) + } + + roleArns = append(roleArns, <-cRoles...) + close(cRoles) return }