Releases: mmmorris1975/aws-runas
1.1.0
Officially release the EC2 Metadata Service mock endpoint feature (--ec2 option)
Filter the list of roles obtained when using the -l option to filter out role ARNs which contain wildcard characters as they will not be helpful when building an SDK config file.
Support *nix shell aliases for commands
If on a non-windows platform (according to runtime.GOOS) where the SHELL environment variable is set (and points to a supported shell), and the command doesn't exist (according to exec.LookPath()), then assume we're trying to us a shell alias and wrap the supplied command in $SHELL to handle the alias.
Currently supported shells:
- bash
- fish
- zsh
- ksh
Change Role Session Name
Change the Role Session Name attribute used in the AssumeRole API call to use the IAM user name for the calling user. This should make it easier to cross-reference user activity between a centralized IAM account and the accounts the operation is run in.
Release 1.0.0
aws-runas 1.0 is ready to ship. Thanks to all who took time to test the pre-release versions.
The following has been changed since rc1:
- Add a bash completion script to make life a little easier
- Add the
-Dflag to sanity check configuration and print resolved profile data
Support longer AssumeRole credential duration
AWS has updated their API to allow Assume Role credentials to last up to 12 hours. This release updates the program to support setting that via the -a flag, with a default setting of 1 hour. Setting this value higher than 1 hour requires the role being assume to be configured to support a longer credential lifetime. If you see an error similar to:
Error doing AssumeRole: ValidationError: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.
That means the role does not support the requested lifetime. Either due to the role not supporting the extended duration at all (still defaulting to 1 hour), or the duration is set to something lower than what is being requested.
Additionally, the environment variables AWS_REGION and AWS_PROFILE are now being set based on values found in the config file, or provided profile name, in order to allow requests to target the correct region.
Fix some annoying behaviors
Incorporate PRs #8 and #9 to allow command without options to work correctly, and to allow a command to be executed with -e option (and also make the expiration times less dense)
Big thanks to @Danno040 for pulling these together
Also discovered the magic kingpin library configuration to fix the annoying behavior where any arguments passed to the command would be ingested by kingpin and throwing errors. Now any arguments specified before the profile arg are consumed by kingpin, and args after the profile are passed through to the command. No more need for --!
Allow role ARN to be passed instead of profile name
Allow the role ARN to be specified instead of the configuration profile name. This will allow the tool to be used in situations where the .aws/config is not setup, and it's just simpler to specify the ARN for simple or automated usage. If a role ARN is provided, but requires MFA, the -M flag has been added so you can provide the MFA device ARN directly as well, instead of relying on the value from the .aws/config file.
Example
MFA not required:
aws-runas arn:aws:iam::123456789012:role/123456789012-Administrator -- aws s3 ls
MFA required:
aws-runas -M arn:aws:iam::987654321098:mfa/iam_user arn:aws:iam::123456789012:role/123456789012-Administrator -- aws s3 ls
Don't worry, the previous behavior of using a "friendly" profile name still works, this just provides another option for running the command.