# Usage

There's quite a few things awsume can do for you.

If you run awsume -h you can see a sizeable list of options (as of 4.0.0):

usage: awsume [-h] [-v] [-r] [-s] [-u] [-a] [-k] [-o] [-l [more]]
              [--refresh-autocomplete] [--role-arn role_arn]
              [--source-profile source_profile] [--external-id external_id]
              [--mfa-token mfa_token] [--region region]
              [--session-name session_name] [--session-policy session_policy]
              [--session-policy-arns session_policy_arns [session_policy_arns...]]
              [--role-duration role_duration] [--with-saml | --with-web-identity]
              [--credentials-file credentials_file] [--config-file config_file]
              [--config [option [option ...]]] [--info] [--debug]
              [profile_name]

Awsume - A cli that makes using AWS IAM credentials easy

positional arguments:
  profile_name                         The target profile name

optional arguments:
  -h, --help                           show this help message and exit
  -v, --version                        Display the current version of awsume
  -r, --refresh                        Force refresh credentials
  -s, --show-commands                  Show the commands to set the credentials
  -u, --unset                          Unset your aws environment variables
  -o, --output-profile output_profile  A profile to output credentials to
  -a, --auto-refresh                   Auto refresh credentials
  -k, --kill-refresher                 Kill autoawsume
  -l [more], --list-profiles [more]    List profiles, "more" for detail (slow)
  --role-arn role_arn                  Role ARN to assume
  --source-profile source_profile      source_profile to use (role-arn only)
  --external-id external_id            External ID to pass to the assume_role
  --mfa-token mfa_token                Your mfa token
  --region region                      The region you want to awsume into
  --session-name session_name          Set a custom role session name
  --session-policy session_policy      Custom session policy JSON
  --session-policy-arns [arns ...]     List of policy ARNs
  --role-duration role_duration        Seconds to get role creds for
  --with-saml                          Use saml (requires plugin)
  --with-web-identity                  Use web identity (requires plugin)
  --credentials-file credentials_file  Target a shared credentials file
  --config-file config_file            Target a config file
  --config [option [option ...]]       Configure awsume
  --list-plugins                       List installed plugins
  --info                               Print any info logs to stderr
  --debug                              Print any debug logs to stderr

Thank you for using AWSume! Check us out at https://trek10.com

# Refresh

The --refresh flag will tell awsume to ignore any cached credentials and get a new session token.

# Show Commands

The --show-commands flag will display the exact commands required to export awsume's credentials to a different shell session, like this:

$ awsume my-admin -s
export AWS_ACCESS_KEY_ID=<SECRET>
export AWS_SECRET_ACCESS_KEY=<SECRET
export AWS_SESSION_TOKEN=<SECRET>
export AWS_SECURITY_TOKEN=<SECRET>
export AWS_REGION=<REGION>
export AWS_DEFAULT_REGION=<REGION>
export AWSUME_PROFILE=my-admin
export AWSUME_EXPIRATION=<YYYY-mm-ddTHH:MM:SS>

This way you can easily get credentials to another shell session, for instance through ssh.

This works on Bash, Zsh, Fish, PowerShell, and Windows Command Prompt.

# Unset

The --unset flag will clear your current shell's AWS environment variables.

# Output Profile

The -o/--output-profile flag will tell awsume to write awsume'd credentials to the specified output profile.

Note: Awsume will not overwrite an existing profile that is not managed by awsume (noted by the manager = awsume property).

# Auto Refresh

The --auto-refresh flag will tell awsume to automatically refresh the credentials. You can read more about how this works here.

# Kill Refresher

The --kill-refresher flag will handle stopping autoawsume from refreshing a profile. If you pass a profile name along with the flag, that profile will no longer be refreshed. If no profile name is passed along with this flag, then all auto-refreshed profiles will be stopped.

# List Profiles

The --list-profiles flag will list data on all of the profiles it has available to it (from the config and shared credentials files or any plugins).

If you supply an additional argument "more" to this flag, you can tell awsume to get more data than what is present locally. Currently this only means making the sts.get_caller_identity call to get the account ID if it can't derive it from a role_arn or mfa_serial, which will of course be slower.

========================AWS Profiles=======================
PROFILE         TYPE  SOURCE  MFA?  REGION     ACCOUNT
app-dev         User  None    No    us-east-1  Unavailable
app-staging     User  None    No    us-east-1  Unavailable
app-prod        User  None    No    us-east-1  Unavailable
iam             User  None    No    us-east-1  Unavailable
client-dev      Role  iam     Yes   us-west-2  123123123123
client-staging  Role  iam     Yes   us-west-2  234234234234
client-prod     Role  iam     Yes   us-west-2  345345345345

In this case, if TYPE is a "role", it has a role_arn. If it does not have a role_arn, it will be classified as a "user" profile type.

# Refresh Autocomplete

In order to keep autocomplete fast, we do not make use of any of awsumepy's modules or any pkg_resources slow entry points. However, this means that any plugins that supply profiles won't be able to supply autocomplete with their profile names. To circumvent this, we utilize an autocomplete file located at ~/.awsume/autocomplete.json. When you pass the --refresh-autocomplete flag to awsume, it makes the calls to all plugins to collect all profile names together into that file. That way, when the awsume-autocomplete helper is called, it simply reads from the config and credentials files, and the ~/.awsume/autocomplete.json file to return a list of awsume-able profile names.

# Role ARN

As of awsume 4, you can use the --role-arn flag to awsume a specific role using your current credentials. You can also use a shorthand that follows the following format: <account_id>:<role_name>. This way you can role-chain as much as you want.

# Source Profile

To help with the Role ARN flag, you can pass in a --source-profile flag to target a specific profile to be the source of the assume_role call for the given role arn.

# External ID

If you don't have an external ID for your role present in your config or credentials files, you can supply this through the command line with the --external-id flag.

# MFA Token

If you want to supply the mfa token through the CLI without the interactive prompt, you can supply the --mfa-token flag with your mfa code.

# Region

You can target a specific region to awsume with the --region flag. This basically amounts to setting the AWS_REGION and AWS_DEFAULT_REGION environment variables. Useful for overriding the region found in a config profile.

# Session Name

You can supply your own session name to the assume_role call with the --session-name flag.

# Session Policy, Policy ARNs

You can define your own session policy for a given awsume session. You can do this by specifying the policy JSON or a list of policy ARNs.

Specifying policy JSON:

$ awsume myprofile --session-policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:*","Resource":"*"}]}'

Specifying policy ARNs:

$ awsume myprofile --session-policy-arns 'arn:aws:iam::aws:policy/job-function/Billing'

# Role Duration

You can also supply a custom role duration (up to 43200) for the number of seconds to request role credentials for with the --role-duration flag.

# With SAML

The --with-saml flag will tell awsume to invoke any assume_role_with_saml plugins you have installed. There is no default implementation for this.

# With Web Identity

The --with-web-identity flag will tell awsume to invoke any assume_role_with_web_identity plugins you have installed. There is no default implementation for this.

# Credentials File

With the --credentials-file flag, you can target a credentials file to use, instead of the default ~/.aws/credentials file or whatever is pointed to with the AWS_SHARED_CREDENTIALS_FILE environment variable.

# Config File

With the --config-file flag, you can target a config file to use, instead of the default ~/.aws/config file or whatever is pointed to with the AWS_CONFIG_FILE environment variable.

# Config

The --config flag will help you configure awsume and any plugins making use of the configuration system. See the config documentation for more details.

# List Plugins

This will list all of the currently-installed awsume plugins.

# Info

The --info flag will display any INFO-level logs.

# Debug

The --debug flag will display any DEBUG-level logs.