How to use AWS CLI for multiple accounts

1
votes

I have a root account which is 1234 (Account ID) and I have MFA enabled authentication, my username is myuser12. I could login with the Account ID and my username, and with my password. And it will ask for MFA token code. Once I entered the token code. I could see the instances under my root account for specific location(s).

I could do switch role to new account (5678) with my role (In my case, role is same across all accounts) along with any alias name for that. Once switch role is done, I could see all the instances under the new account on specific locations(s).

Everything is fine via Web console. When I try to access them via CLI, I couldn't get the result for the new account (5678). But it works for 1234 account location.

Account ID - Location   - No. of instances

1234       - us-east-1  - 5 instances

1234       - eu-west-3   - 2 instances

5678       - eu-north-1  - 5 instances

5678       - eu-west-1   - 5 instances

and so on.

My Initial .aws/config content

[profile default]
region = us-east-1
output = json

.aws/credentials content,

[default]
aws_access_key_id = accesskeyIdFromDownloadedCSV
aws_secrect_access_key = secrectAccessKeyFromDownloadedCSV

Now, If I try to query any instance I would get error since I haven't generated the access key token with MFA.

aws rds describe-db-instances --query 'DBInstances[?DBInstanceClass==`db.m3.large`]' --profile default --no-verify-ssl

So, I have to get my MFA arn url and get the instant access key id, secret access key and session token.

aws iam list-mfa-devices --user-name myuser12

I got the "SerialNumber" (MFA arn url) from above command which I need it later to generate session token.

Now, 

aws sts get-session-token --serial-number arn:aws:iam::1234:mfa/myuser12 --token-code 123456

Note: 123456 (token-code) generated from my virtual MFA device

Now I have SessionToken (aws_session_token), SecrectAccessKey (aws_secret_access_key), AccessKeyId (aws_access_key_id) from above command along with the expiration timestamp.

So, I have updated the .aws/config and .aws/credential files based on new credentials.

.aws/config file content

[profile default]
region = us-east-1
output = json

[profile newacc]
region = eu-west-1
role_arn = arn:aws:iam::5678:role/myRole   
source_profile default                     
output = json

.aws/credentials content,

[default]
aws_access_key_id = NewIdFromMFACommand
aws_secrect_access_key = NewKeyFromMFACommand
aws_aws_session_token = TokenFromMFACommand      

[newacc]
region = eu-west-1
role_arn = arn:aws:iam::5678:role/myRole   
source_profile default                     
output = json

Now, I can execute my initial command

aws rds describe-db-instances --query 'DBInstances[?DBInstanceClass==`db.m3.large`]' --profile default --no-verify-ssl

And, getting the list of db.m3.large type instances.

But, when I trying with --profile newacc I am not getting anything. I am really confused what to change and where to change?

2
amazon-web-servicesaws-cli
When you say you are "not getting anything", do you mean that the call to describe-db-instances with profile newacc succeeded, but that it returned zero DB instances? - jarmod
No, it didn't go through. Took couple of seconds and returns nothing. Not even empty json array. - Spike
If it's a credential error then you'd see that. If there are no matching DB instances then you should see [] as a response. Can you make sure that your awscli is up to date. One question: why are you indicating --no-verify-ssl? - jarmod
You are wanting to assume a role from temporary credentials? That might be causing the problem. I would recommend taking the results from get-session-token and storing them in a different profile via aws configure --profile sts, thereby keeping your default credentials. Then, when you use --profile newacc, it will assume the role using your "normal" credentials. (Or do you need MFA even for assuming a role?) - John Rotenstein
@jarmod , it was showing some SSL verification failed error. So I used this switch. - Spike

2 Answers

0
votes

This configuration block:

[profile newacc]
region = eu-west-1
role_arn = arn:aws:iam::5678:role/myRole   
source_profile default                     
output = json

means that you wish to assume myRole. However, assuming a role can only be done by IAM Users who are authorized to assume the role. Therefore, some normal IAM credentials are required to prove your identity. This is done via the source_profile.

The source_profile default line means that the credentials in the default profile will be used to call AssumeRole.

I recommend that you keep your default credentials as your normal IAM credentials. When you call aws sts get-session-token, store the result in a different profile (not default, not newacc). You can do this with aws configure --profile sts (for example).

When you wish to assume myRole, you can use --profile newacc. This will use your default credentials to call AssumeRole and will use the role's credentials for the call being made.

The result is three profiles:

  • default for calling get-session-token and AssumeRole
  • sts for proving you have an MFA
  • newacc for using the role
0
votes

Finally it works!. It seems, I need to run below command for each account. 

aws sts assume-role --role-arn "arn:aws:iam::5678:role/MyRoleForThisAccount" --role-session-name AWSCLI-Session

Note: Give the respective role (MyRoleForThisAccount) assigned to your user in IAM and make sure your user have permission to call AssumeRole

And update the result (credentials) for each respective block in ~/.aws/credentials file. So, credential files will be looks like

[default]
aws_access_key_id = NewIdFromMFACommand
aws_secrect_access_key = NewKeyFromMFACommand
aws_aws_session_token = TokenFromMFACommand      

[newacc]
aws_access_key_id = NewIdFromAssumeRoleCommandForThisAccount
aws_secrect_access_key = NewKeyFromAssumeRoleCommandForThisAccount
aws_aws_session_token = NewTokenFromAssumeRoleCommandForThisAccount

And the ~/.aws/config file will be

[profile default]
region = us-east-1
output = json

[profile newacc]
region = eu-west-1