Tactician of Role-Interchanging Cloud Keys (Effortless AWS persistence via AssumeRole).
Note
This tool helps maintain persistence in AWS by performing AssumeRole operations using a pool of AWS IAM roles ( implemented as a ring buffer).
$ trick -h
Usage of trick
-refresh int
refresh IAM every n minutes (default 12)
-region string
AWS region used for IAM communication (default "eu-west-1")
-role value
AWS role to assume (can be specified multiple times)
-use value
AWS role with meaningful permissions (can be specified multiple times)
-verbose
verbose log output
-version
show version# via the Go toolchain
go install github.com/wakeful/trickYou can download a pre-built binary from the release page and add it to your user PATH.
Important
The trick-jump-credentials profile will be updated with new credentials.
Warning
The AWS CLI is required to properly write the new credentials.
trick -role arn::42::role-a -role arn::42::role-b -role arn::42::role-cstateDiagram
rA: role A
rB: role B
rC: role C
[*] --> rA
rA --> rB: wait 12min and jump
rB --> rC: wait 12min and jump
rC --> rA: wait 12min and jump
Tip
Sometimes only a few roles in the chain have useful permissions. Instead of waiting for the next jump, we can just pick the roles that matter to us.
trick -role arn::42::role-a -role arn::42::role-b \
-role arn::42::role-c -role arn::42::role-d \
-use arn::42::role-a -use arn::42::role-dstateDiagram
rA: role A
rB: role B
rC: role C
rD: role D
[*] --> rA
rA --> rB: wait 12min and jump
rB --> rC: B lacks permission so we jump to C
rC --> rD: C lacks permission so we jump to D
rD --> rA: wait 12min and jump