Add cmd/aws-sts-session to generate STS credentials

Makefile

@@ -2,6 +2,7 @@ GOMOD=$(shell test -f "go.work" && echo "readonly" || echo "vendor")
 LDFLAGS=-s -w
 
 cli:
+	go build -mod $(GOMOD) -ldflags="$(LDFLAGS)" -o bin/aws-sts-session cmd/aws-sts-session/main.go
 	go build -mod $(GOMOD) -ldflags="$(LDFLAGS)" -o bin/aws-mfa-session cmd/aws-mfa-session/main.go
 	go build -mod $(GOMOD) -ldflags="$(LDFLAGS)" -o bin/aws-get-credentials cmd/aws-get-credentials/main.go
 	go build -mod $(GOMOD) -ldflags="$(LDFLAGS)" -o bin/aws-cognito-credentials cmd/aws-cognito-credentials/main.go

README.md

@@ -10,6 +10,7 @@ Go package providing methods and tools for determining or assigning AWS credenti
 
 ```
 $> make cli
+go build -mod vendor -ldflags="-s -w" -o bin/aws-sts-session cmd/aws-sts-session/main.go
 go build -mod vendor -ldflags="-s -w" -o bin/aws-mfa-session cmd/aws-mfa-session/main.go
 go build -mod vendor -ldflags="-s -w" -o bin/aws-get-credentials cmd/aws-get-credentials/main.go
 go build -mod vendor -ldflags="-s -w" -o bin/aws-cognito-credentials cmd/aws-cognito-credentials/main.go
@@ -229,6 +230,70 @@ $> bin/aws-sign-request \
 }
 ```
 
+### aws-sts-session
+
+Generate STS credentials for a given profile and MFA token and then write those credentials back to an AWS "credentials" file in a specific profile section.
+
+```
+$> ./bin/aws-sts-session -h
+Generate STS credentials for a given profile and MFA token and then write those credentials back to an AWS "credentials" file in a specific profile section.
+Usage:
+	 ./bin/aws-sts-session [options]
+Valid options are:
+  -config-uri string
+    	A valid aaronland/gp-aws-auth.Config URI.
+  -mfa
+    	Require a valid MFA token code when assuming role. (default true)
+  -mfa-serial-number string
+    	The unique identifier of the MFA device being used for authentication.
+  -mfa-token string
+    	A valid MFA token string. If empty then data will be read from a command line prompt.
+  -role-arn string
+    	The AWS role ARN URI of the role you want to assume.
+  -role-duration int
+    	The duration, in seconds, of the role session. (default 3600)
+  -role-session string
+    	A unique name to identify the session.
+  -session-profile string
+    	The name of the AWS credentials profile to associate the temporary credentials with.
+```
+
+For example:
+
+```
+$> ./bin/aws-sts-session -config-uri 'aws://?region={REGION}&credentials={CREDENTIALS}' \
+	-role-arn 'arn:aws:iam::{AWS_ACCOUNT}:role/{IAM_ROLE}' \
+	-role-session debug \
+	-mfa-serial-number arn:aws:iam::{AWS_ACCOUNT}:mfa/{MFA_LABEL} \
+	-mfa-token {TOKEN} \
+	-session-profile test
+
+2024/11/08 08:23:25 Assumed role "arn:aws:sts::{AWS_ACCOUNT}:assumed-role/{IAM_ROLE}/debug", expires 2024-11-08 17:23:25 +0000 UTC
+```
+
+Note that this assumes a role with a "trust policy" equivalent to this:
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Statement1",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::{AWS_ACCOUNT}:user/{IAM_USER}"
+            },
+            "Action": "sts:AssumeRole",
+            "Condition": {
+                "Bool": {
+                    "aws:MultiFactorAuthPresent": true
+                }
+            }
+        }
+    ]
+}
+```
+
 ## Credentials
 
 Credentials for URIs are defined as string labels. They are:
@@ -250,4 +315,4 @@ aws:///us-east-1?credentials=iam:
 
 ## See also:
 
-* https://github.com/aws/aws-sdk-go-v2/
+* https://github.com/aws/aws-sdk-go-v2/

cmd/aws-sts-session/main.go

@@ -0,0 +1,153 @@
+package main
+
+// https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts#Client.AssumeRole
+// https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts#AssumeRoleInput
+// https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts#AssumeRoleOutput
+
+/*
+
+Assume a role with a "trust policy" like this:
+
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Statement1",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::{AWS_ACCOUNT}:user/{IAM_USER}"
+            },
+            "Action": "sts:AssumeRole",
+            "Condition": {
+                "Bool": {
+                    "aws:MultiFactorAuthPresent": true
+                }
+            }
+        }
+    ]
+}
+*/
+
+/*
+
+$> ./bin/aws-sts-session -config-uri 'aws://?region={REGION}&credentials={CREDENTIALS}' \
+	-role-arn 'arn:aws:iam::{AWS_ACCOUNT}:role/{IAM_ROLE}' \
+	-role-session debug \
+	-mfa-serial-number arn:aws:iam::{AWS_ACCOUNT}:mfa/{MFA_LABEL} \
+	-mfa-token {TOKEN} \
+	-session-profile test
+
+2024/11/08 08:23:25 Assumed role "arn:aws:sts::{AWS_ACCOUNT}:assumed-role/{IAM_ROLE}/debug", expires 2024-11-08 17:23:25 +0000 UTC
+
+*/
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"strings"
+
+	"github.com/aaronland/go-aws-auth"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+)
+
+func main() {
+
+	var config_uri string
+
+	var role_arn string
+	var role_session string
+	var role_duration int // update to use ISO8601 duration string
+
+	var mfa_require bool
+	var mfa_serial string
+	var mfa_token string
+
+	var session_profile string
+
+	flag.StringVar(&config_uri, "config-uri", "", "A valid aaronland/gp-aws-auth.Config URI.")
+
+	flag.StringVar(&role_arn, "role-arn", "", "The AWS role ARN URI of the role you want to assume.")
+	flag.StringVar(&role_session, "role-session", "", "A unique name to identify the session.")
+	flag.IntVar(&role_duration, "role-duration", 3600, "The duration, in seconds, of the role session.")
+
+	flag.BoolVar(&mfa_require, "mfa", true, "Require a valid MFA token code when assuming role.")
+	flag.StringVar(&mfa_serial, "mfa-serial-number", "", "The unique identifier of the MFA device being used for authentication.")
+	flag.StringVar(&mfa_token, "mfa-token", "", "A valid MFA token string. If empty then data will be read from a command line prompt.")
+
+	flag.StringVar(&session_profile, "session-profile", "", "The name of the AWS credentials profile to associate the temporary credentials with.")
+
+	flag.Usage = func() {
+		fmt.Fprintf(os.Stderr, "Generate STS credentials for a given profile and MFA token and then write those credentials back to an AWS \"credentials\" file in a specific profile section.\n")
+		fmt.Fprintf(os.Stderr, "Usage:\n\t %s [options]\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "Valid options are:\n")		
+		flag.PrintDefaults()
+	}
+
+	flag.Parse()
+
+	ctx := context.Background()
+
+	cfg, err := auth.NewConfig(ctx, config_uri)
+
+	if err != nil {
+		log.Fatalf("Failed to create new config, %v", err)
+	}
+
+	creds, err := auth.NewCredentials()
+
+	if err != nil {
+		log.Fatalf("Failed to create new credentials, %v", err)
+	}
+
+	cl := sts.NewFromConfig(cfg)
+
+	assume_opts := &sts.AssumeRoleInput{
+		RoleArn:         aws.String(role_arn),
+		RoleSessionName: aws.String(role_session),
+		DurationSeconds: aws.Int32(int32(role_duration)),
+	}
+
+	if mfa_require {
+
+		mfa_token = strings.TrimSpace(mfa_token)
+
+		if mfa_token == "" {
+			mfa_token = readline("Enter your MFA token code:")
+		}
+
+		assume_opts.SerialNumber = aws.String(mfa_serial)
+		assume_opts.TokenCode = aws.String(mfa_token)
+	}
+
+	rsp, err := cl.AssumeRole(ctx, assume_opts)
+
+	if err != nil {
+		log.Fatalf("Failed to assume role, %v", err)
+	}
+
+	session_creds := rsp.Credentials
+
+	err = creds.SetSessionCredentialsWithProfile(ctx, session_profile, session_creds)
+
+	if err != nil {
+		log.Fatalf("Failed to get credentials with session profile, %v", err)
+	}
+
+	log.Printf(`Assumed role "%s", expires %v`, *rsp.AssumedRoleUser.Arn, *session_creds.Expiration)
+}
+
+func readline(prompt string) string {
+
+	var input string
+
+	fmt.Print(fmt.Sprintf("%s ", prompt))
+	fmt.Scanf("%s", &input)
+
+	// go-sanitize strings here? (20180621/thisisaaronland)
+
+	return strings.Trim(input, " ")
+}

go.mod

@@ -3,27 +3,27 @@ module github.com/aaronland/go-aws-auth
 go 1.22.1
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.32.3
-	github.com/aws/aws-sdk-go-v2/config v1.28.1
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.42
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.18
-	github.com/aws/aws-sdk-go-v2/service/cognitoidentity v1.27.3
-	github.com/aws/aws-sdk-go-v2/service/iam v1.37.3
-	github.com/aws/aws-sdk-go-v2/service/ssm v1.55.3
-	github.com/aws/aws-sdk-go-v2/service/sts v1.32.3
+	github.com/aws/aws-sdk-go-v2 v1.32.4
+	github.com/aws/aws-sdk-go-v2/config v1.28.3
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.44
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19
+	github.com/aws/aws-sdk-go-v2/service/cognitoidentity v1.27.5
+	github.com/aws/aws-sdk-go-v2/service/iam v1.37.4
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.55.5
+	github.com/aws/aws-sdk-go-v2/service/sts v1.32.4
 	github.com/aws/smithy-go v1.22.0
 	github.com/go-ini/ini v1.67.0
 	github.com/sfomuseum/go-flags v0.10.0
 	github.com/sfomuseum/iso8601duration v1.1.0
 )
 
 require (
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.24.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.24.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 )

go.sum

@@ -1,33 +1,33 @@
-github.com/aws/aws-sdk-go-v2 v1.32.3 h1:T0dRlFBKcdaUPGNtkBSwHZxrtis8CQU17UpNBZYd0wk=
-github.com/aws/aws-sdk-go-v2 v1.32.3/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo=
-github.com/aws/aws-sdk-go-v2/config v1.28.1 h1:oxIvOUXy8x0U3fR//0eq+RdCKimWI900+SV+10xsCBw=
-github.com/aws/aws-sdk-go-v2/config v1.28.1/go.mod h1:bRQcttQJiARbd5JZxw6wG0yIK3eLeSCPdg6uqmmlIiI=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.42 h1:sBP0RPjBU4neGpIYyx8mkU2QqLPl5u9cmdTWVzIpHkM=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.42/go.mod h1:FwZBfU530dJ26rv9saAbxa9Ej3eF/AK0OAY86k13n4M=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.18 h1:68jFVtt3NulEzojFesM/WVarlFpCaXLKaBxDpzkQ9OQ=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.18/go.mod h1:Fjnn5jQVIo6VyedMc0/EhPpfNlPl7dHV916O6B+49aE=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22 h1:Jw50LwEkVjuVzE1NzkhNKkBf9cRN7MtE1F/b2cOKTUM=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22/go.mod h1:Y/SmAyPcOTmpeVaWSzSKiILfXTVJwrGmYZhcRbhWuEY=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22 h1:981MHwBaRZM7+9QSR6XamDzF/o7ouUGxFzr+nVSIhrs=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22/go.mod h1:1RA1+aBEfn+CAB/Mh0MB6LsdCYCnjZm7tKXtnk499ZQ=
+github.com/aws/aws-sdk-go-v2 v1.32.4 h1:S13INUiTxgrPueTmrm5DZ+MiAo99zYzHEFh1UNkOxNE=
+github.com/aws/aws-sdk-go-v2 v1.32.4/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo=
+github.com/aws/aws-sdk-go-v2/config v1.28.3 h1:kL5uAptPcPKaJ4q0sDUjUIdueO18Q7JDzl64GpVwdOM=
+github.com/aws/aws-sdk-go-v2/config v1.28.3/go.mod h1:SPEn1KA8YbgQnwiJ/OISU4fz7+F6Fe309Jf0QTsRCl4=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.44 h1:qqfs5kulLUHUEXlHEZXLJkgGoF3kkUeFUTVA585cFpU=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.44/go.mod h1:0Lm2YJ8etJdEdw23s+q/9wTpOeo2HhNE97XcRa7T8MA=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19 h1:woXadbf0c7enQ2UGCi8gW/WuKmE0xIzxBF/eD94jMKQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19/go.mod h1:zminj5ucw7w0r65bP6nhyOd3xL6veAUMc3ElGMoLVb4=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23 h1:A2w6m6Tmr+BNXjDsr7M90zkWjsu4JXHwrzPg235STs4=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23/go.mod h1:35EVp9wyeANdujZruvHiQUAo9E3vbhnIO1mTCAxMlY0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23 h1:pgYW9FCabt2M25MoHYCfMrVY2ghiiBKYWUVXfwZs+sU=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23/go.mod h1:c48kLgzO19wAu3CPkDWC28JbaJ+hfQlsdl7I2+oqIbk=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
-github.com/aws/aws-sdk-go-v2/service/cognitoidentity v1.27.3 h1:CPXcVyWI2tI1Z55y3Kx2uJE9yjCIADP+cJPP6qetjhw=
-github.com/aws/aws-sdk-go-v2/service/cognitoidentity v1.27.3/go.mod h1:EKyEAoir6U2D5ETQbx1n3rb6BMi3B3+CkBbvuIti3u0=
-github.com/aws/aws-sdk-go-v2/service/iam v1.37.3 h1:uuoXyOwX2ReYgHJW0W84cKDUrvQNQA2l9KhkXUgT+R4=
-github.com/aws/aws-sdk-go-v2/service/iam v1.37.3/go.mod h1:RCrjvkN/ZpVAzW3ZmIlyflv7MUM45YlWx3v+6MaVX2w=
+github.com/aws/aws-sdk-go-v2/service/cognitoidentity v1.27.5 h1:BH9f0H3Tl44iCofo/Vx+4LGfVJ/Ptjh3j/4cn25cU0E=
+github.com/aws/aws-sdk-go-v2/service/cognitoidentity v1.27.5/go.mod h1:JcmPakQKiVFzqrJFefuBFabERYm56bndwJqMHys0pEg=
+github.com/aws/aws-sdk-go-v2/service/iam v1.37.4 h1:MrH2MJRzxPGXtavvL1JtDLFJzXN+4ObO090jzauqcPk=
+github.com/aws/aws-sdk-go-v2/service/iam v1.37.4/go.mod h1:WJARDpnEOhixhh41f+kTTr67y28OvjIUVht++rfcILY=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 h1:TToQNkvGguu209puTojY/ozlqy2d/SFNcoLIqTFi42g=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0/go.mod h1:0jp+ltwkf+SwG2fm/PKo8t4y8pJSgOCO4D8Lz3k0aHQ=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.3 h1:qcxX0JYlgWH3hpPUnd6U0ikcl6LLA9sLkXE2w1fpMvY=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.3/go.mod h1:cLSNEmI45soc+Ef8K/L+8sEA3A3pYFEYf5B5UI+6bH4=
-github.com/aws/aws-sdk-go-v2/service/ssm v1.55.3 h1:nbFGlCxyyFe2cgg8WNQQtzDRVczO4+1dL4hd3TDU6MM=
-github.com/aws/aws-sdk-go-v2/service/ssm v1.55.3/go.mod h1:nzUlOBAMlQx9zKwtI10FOzJa2phU6bmFbXhD6LLbr/A=
-github.com/aws/aws-sdk-go-v2/service/sso v1.24.3 h1:UTpsIf0loCIWEbrqdLb+0RxnTXfWh2vhw4nQmFi4nPc=
-github.com/aws/aws-sdk-go-v2/service/sso v1.24.3/go.mod h1:FZ9j3PFHHAR+w0BSEjK955w5YD2UwB/l/H0yAK3MJvI=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.3 h1:2YCmIXv3tmiItw0LlYf6v7gEHebLY45kBEnPezbUKyU=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.3/go.mod h1:u19stRyNPxGhj6dRm+Cdgu6N75qnbW7+QN0q0dsAk58=
-github.com/aws/aws-sdk-go-v2/service/sts v1.32.3 h1:wVnQ6tigGsRqSWDEEyH6lSAJ9OyFUsSnbaUWChuSGzs=
-github.com/aws/aws-sdk-go-v2/service/sts v1.32.3/go.mod h1:VZa9yTFyj4o10YGsmDO4gbQJUvvhY72fhumT8W4LqsE=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.4 h1:tHxQi/XHPK0ctd/wdOw0t7Xrc2OxcRCnVzv8lwWPu0c=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.4/go.mod h1:4GQbF1vJzG60poZqWatZlhP31y8PGCCVTvIGPdaaYJ0=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.55.5 h1:lGHvjwVUclt6xo91f+H0vdVMfCjw2zclL0sVQXgTOp8=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.55.5/go.mod h1:zH7gDT/mAjLk10jcoltSXvjruPmvDSpfCTqzA+0B3l4=
+github.com/aws/aws-sdk-go-v2/service/sso v1.24.5 h1:HJwZwRt2Z2Tdec+m+fPjvdmkq2s9Ra+VR0hjF7V2o40=
+github.com/aws/aws-sdk-go-v2/service/sso v1.24.5/go.mod h1:wrMCEwjFPms+V86TCQQeOxQF/If4vT44FGIOFiMC2ck=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4 h1:zcx9LiGWZ6i6pjdcoE9oXAB6mUdeyC36Ia/QEiIvYdg=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4/go.mod h1:Tp/ly1cTjRLGBBmNccFumbZ8oqpZlpdhFf80SrRh4is=
+github.com/aws/aws-sdk-go-v2/service/sts v1.32.4 h1:yDxvkz3/uOKfxnv8YhzOi9m+2OGIxF+on3KOISbK5IU=
+github.com/aws/aws-sdk-go-v2/service/sts v1.32.4/go.mod h1:9XEUty5v5UAsMiFOBJrNibZgwCeOma73jgGwwhgffa8=
 github.com/aws/smithy-go v1.22.0 h1:uunKnWlcoL3zO7q+gG2Pk53joueEOsnNB28QdMsmiMM=
 github.com/aws/smithy-go v1.22.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=