mobile file icon

AWS-AUTH-1PASSWORD.md

close sidebar menu icon

Browse the Repo

file-type-icon.circleci
file-type-icon_ci
file-type-icon_docs
file-type-iconcodegen
file-type-iconexamples
file-type-iconmodules
file-type-icon_deprecated
file-type-iconaccount-baseline-app
file-type-iconaccount-baseline-root
file-type-iconaccount-baseline-security
file-type-iconauto-update
file-type-iconaws-auth
file-type-iconbin
file-type-iconAWS-AUTH-1PASSWORD.md
file-type-iconAWS-AUTH-LASTPASS.md
file-type-iconREADME.md
file-type-iconinstall.sh
file-type-iconaws-config-bucket
file-type-iconaws-config-multi-region
file-type-iconaws-config-rules
file-type-iconaws-config
file-type-iconaws-organizations
file-type-iconcloudtrail-bucket
file-type-iconcloudtrail
file-type-iconcross-account-iam-roles
file-type-iconcustom-iam-entity
file-type-iconebs-encryption-multi-region
file-type-iconebs-encryption
file-type-iconfail2ban
file-type-iconguardduty-multi-region
file-type-iconguardduty
file-type-iconiam-access-analyzer-multi-region
file-type-iconiam-groups
file-type-iconiam-policies
file-type-iconiam-user-password-policy
file-type-iconiam-users
file-type-iconip-lockdown
file-type-iconkms-grant-multi-region
file-type-iconkms-master-key-multi-region
file-type-iconkms-master-key
file-type-iconntp
file-type-iconos-hardening
file-type-iconprivate-s3-bucket
file-type-iconsaml-iam-roles
file-type-iconsecrets-manager-resource-policies
file-type-iconssh-grunt-selinux-policy
file-type-iconssh-grunt
file-type-iconssh-iam
file-type-iconssm-healthchecks-iam-permissions
file-type-icontls-cert-private
file-type-icontest
file-type-icon.editorconfig
file-type-icon.gitignore
file-type-icon.pre-commit-config.yaml
file-type-iconCODEOWNERS
file-type-iconLICENSE.txt
file-type-iconREADME.adoc
file-type-iconterraform-cloud-enterprise-private-module-...

Browse the Repo

file-type-icon.circleci
file-type-icon_ci
file-type-icon_docs
file-type-iconcodegen
file-type-iconexamples
file-type-iconmodules
file-type-icon_deprecated
file-type-iconaccount-baseline-app
file-type-iconaccount-baseline-root
file-type-iconaccount-baseline-security
file-type-iconauto-update
file-type-iconaws-auth
file-type-iconbin
file-type-iconAWS-AUTH-1PASSWORD.md
file-type-iconAWS-AUTH-LASTPASS.md
file-type-iconREADME.md
file-type-iconinstall.sh
file-type-iconaws-config-bucket
file-type-iconaws-config-multi-region
file-type-iconaws-config-rules
file-type-iconaws-config
file-type-iconaws-organizations
file-type-iconcloudtrail-bucket
file-type-iconcloudtrail
file-type-iconcross-account-iam-roles
file-type-iconcustom-iam-entity
file-type-iconebs-encryption-multi-region
file-type-iconebs-encryption
file-type-iconfail2ban
file-type-iconguardduty-multi-region
file-type-iconguardduty
file-type-iconiam-access-analyzer-multi-region
file-type-iconiam-groups
file-type-iconiam-policies
file-type-iconiam-user-password-policy
file-type-iconiam-users
file-type-iconip-lockdown
file-type-iconkms-grant-multi-region
file-type-iconkms-master-key-multi-region
file-type-iconkms-master-key
file-type-iconntp
file-type-iconos-hardening
file-type-iconprivate-s3-bucket
file-type-iconsaml-iam-roles
file-type-iconsecrets-manager-resource-policies
file-type-iconssh-grunt-selinux-policy
file-type-iconssh-grunt
file-type-iconssh-iam
file-type-iconssm-healthchecks-iam-permissions
file-type-icontls-cert-private
file-type-icontest
file-type-icon.editorconfig
file-type-icon.gitignore
file-type-icon.pre-commit-config.yaml
file-type-iconCODEOWNERS
file-type-iconLICENSE.txt
file-type-iconREADME.adoc
file-type-iconterraform-cloud-enterprise-private-module-...
ssh-grunt

ssh-grunt

Manage SSH access to EC2 Instances using groups in AWS IAM or your Identity Provider (e.g., ADFS, Google, Okta, etc).

Code Preview

View on GitHub:

https://github.com/gruntwork-i...aws-auth/AWS-AUTH-1PASSWORD.md

Preview the Code

mobile file icon

AWS-AUTH-1PASSWORD.md

down

1Password with AWS

aws-auth script

Before reading these instructions, go through setting up aws-auth and understanding the aws-auth workflow.

jq

You need to install the json tool jq for this to work. On a Mac, this can be as simple as brew install jq. If this does not work, or if you are on another platform, see the documentation for further details.

Setting up the AWS 1Password Record

To make this a little easier to use, add a few extra fields to the record. To make this integration most effective, you should also use 1Password for AWS MFA (within the same record).

  • Add a text field with the label AWS_ACCESS_KEY_ID and the value of your AWS_ACCESS_KEY_ID.
  • Add a password field with the label AWS_SECRET_ACCESS_KEY and the value of your AWS_SECRET_ACCESS_KEY.
  • Add a text field with the label AWS_TOTP_SERIAL_NUMBER and the value of your AWS_TOTP_SERIAL_NUMBER - this should look like arn:aws:iam::<ACCOUNT_NUMBER>:mfa/<USER>.

op

Install and configure the 1Password CLI, op, according to the instructions.

You will need to retrieve your AWS credential UUID with something like this:

$ op get item '<1PASSWORD AWS LOGIN NAME>' | jq -r '.uuid' | pbcopy

Setting up your shell function to combine with 1Password

Add this function to your .zshrc, .bashrc or whatever:

aws_auth() {
  AWS_ITEM_ID="<UUID YOU COPIED EARLIER>"
  AWS_ITEM=(op get item "$AWS_ITEM_ID" --fields AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_TOTP_SERIAL_NUMBER)
  AWS_CREDS="$($AWS_ITEM)" || eval "$(op signin)" && AWS_CREDS="$($AWS_ITEM)"
  export AWS_ACCESS_KEY_ID="$(echo $AWS_CREDS | jq -r '.AWS_ACCESS_KEY_ID')"
  export AWS_SECRET_ACCESS_KEY="$(echo $AWS_CREDS | jq -r '.AWS_SECRET_ACCESS_KEY')"
  AWS_AUTH=(aws-auth --serial-number $(echo $AWS_CREDS | jq -r '.AWS_TOTP_SERIAL_NUMBER') --token-code $(op get totp "$AWS_ITEM_ID"))
  if [ -z "$1" ]; then
    eval "$($AWS_AUTH)"
  else
    eval "$($AWS_AUTH --role-arn $1)"
  fi
}

then run source ~/.bashrc or source ~/.zshrc or whatever.

Usage

This allows you to run aws_auth to add your MFA token to the current session, or aws_auth <ROLE ARN> to assume a new role.

Questions? Ask away.

We're here to talk about our services, answer any questions, give advice, or just to chat.

Contact Us

Ready to hand off the Gruntwork?

Buy Now