README
¶
trick
Tactician of Role-Interchanging Cloud Keys (Effortless AWS persistence via AssumeRole).
[!NOTE] This tool keeps persistence in AWS. It does this by using a pool of AWS IAM roles for AssumeRole operations, set up like a ring buffer.
$ trick -h
Usage of trick
-config string
path to config file
-refresh int
refresh IAM every n minutes (default 12)
-region string
AWS region used for IAM communication (default "eu-west-1")
-role value
AWS role to assume (can be specified multiple times)
-ui
starts role visualization on port 8742
-use value
AWS role with meaningful permissions (can be specified multiple times)
-verbose
verbose log output
-version
show version
Installation
From source
# via the Go toolchain
go install github.com/wakeful/trick
Using a binary release
You can download a pre-built binary from the release page and add it to your user PATH.
[!IMPORTANT] The
trick-jump-credentialsprofile will be updated with new credentials.
[!WARNING] The new credentials need the AWS CLI to be written correctly.
Simple scenario
trick -role arn::42::role-a -role arn::42::role-b -role arn::42::role-c
config file version
trick -config path/to/config.hcl
select_profile = profile.simple
# -region eu-west-1 \
# -role arn::42::role-a -role arn::42::role-b -role arn::42::role-c
profile "simple" {
chain {
use {
arn = "arn::42::role-a"
}
use {
arn = "arn::42::role-b"
}
use {
arn = "arn::42::role-c"
}
}
}
stateDiagram
rA: role A
rB: role B
rC: role C
[*] --> rA
rA --> rB: wait 12min and jump
rB --> rC: wait 12min and jump
rC --> rA: wait 12min and jump
Complex scenario
[!TIP] Sometimes only a few roles in the chain have useful permissions. Instead of waiting for the next jump, we can pick the roles that matter to us.
trick -region eu-west-1 -refresh 12 \
-role arn::42::role-a -role arn::42::role-b \
-role arn::42::role-c -role arn::42::role-d \
-use arn::42::role-a -use arn::42::role-d
config file version
trick -config path/to/config.hcl
# -region eu-west-1 -refresh 12 \
# -role arn::42::role-a -role arn::42::role-b \
# -role arn::42::role-c -role arn::42::role-d \
# -use arn::42::role-a -use arn::42::role-d
profile "complex" {
region = "eu-west-1"
chain {
ttl = 12
use {
arn = "arn::42::role-a"
skip = false # Defaults to false; you can skip it.
}
use {
arn = "arn::42::role-b"
skip = true
}
use {
arn = "arn::42::role-c"
skip = true
}
use {
arn = "arn::42::role-d"
}
}
}
stateDiagram
rA: role A
rB: role B
rC: role C
rD: role D
[*] --> rA
rA --> rB: wait 12min and jump
rB --> rC: B lacks permission so we jump to C
rC --> rD: C lacks permission so we jump to D
rD --> rA: wait 12min and jump
UI Visualization
The -ui flag starts a local web server that visualizes the role chain as an interactive diagram:
trick -ui -role arn::42::role-a -role arn::42::role-b -role arn::42::role-c
Once started, open your browser to http://127.0.0.1:8742 to see the role chain visualization.
Acknowledgments
This project would not be possible without the excellent work of:
-
HCL (HashiCorp Configuration Language) - A powerful and flexible configuration language that makes
trick's configuration files intuitive and easy to work with. -
Mermaid.js - The amazing diagramming and charting tool that powers our role chain visualizations.
Documentation
Source Files
Directories