Arbitrary names for the default profile

README.md

@@ -75,6 +75,24 @@ assume-role production read
 assume-role 123456789012 read
 ```
 
+Also, by setting `$AWS_DEFAULT_PROFILE_ASSUME_ROLE`, you can define a default profile for `assume-role` if you want to separate concerns between
+default accounts for `assume-role` and vanilla `awscli` or simply to have better names than `default`:
+
+```bash
+$ export AWS_DEFAULT_PROFILE_ASSUME_ROLE="bastion"
+$ assume-role production read
+```
+
+Moreover, if you are in the need of [longer client-side assume-role sessions](https://aws.amazon.com/about-aws/whats-new/2018/03/longer-role-sessions/) and don't want to [enter your MFA authentication every hour (default)](https://github.com/coinbase/assume-role/issues/19) this one is for you:
+
+```bash
+$ export AWS_ROLE_SESSION_TIMEOUT=43200
+```
+
+However, be aware that for [chained roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining) there's currently a forced **1 hour limit** from AWS. You'll get the following error if you exceed that specific limit:
+
+> DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining.
+
 ## AWS Bastion Account Setup
 
 Here is a simple example of how to set up a **Bastion** AWS account with an id `0987654321098` and a **Production** account with the id `123456789012`.

assume-role

@@ -47,6 +47,7 @@ assume-role(){
   #######
 
   # exports
+  export AWS_DEFAULT_PROFILE_ASSUME_ROLE
   export AWS_SESSION_START
   export AWS_SESSION_ACCESS_KEY_ID
   export AWS_SESSION_SECRET_ACCESS_KEY
@@ -81,6 +82,19 @@ assume-role(){
   # SETUP
   #######
 
+  # load default assume-role profile if available, use "default" otherwise
+  if [ "$AWS_DEFAULT_PROFILE_ASSUME_ROLE" ]; then
+    echo "Using assume-role default profile: $AWS_DEFAULT_PROFILE_ASSUME_ROLE"
+    default_profile=${AWS_DEFAULT_PROFILE_ASSUME_ROLE}
+  else
+    default_profile="default"
+  fi
+
+  # load user-set ROLE_SESSION_TIMEOUT (up to 12h, 43200 seconds), use default 1h defined above otherwise
+  if [ "$AWS_ROLE_SESSION_TIMEOUT" ]; then
+    ROLE_SESSION_TIMEOUT=${AWS_ROLE_SESSION_TIMEOUT}
+  fi
+
   # set account_name
   if [ -z "$account_name_input" ] && [ -z "$OUTPUT_TO_EVAL" ]; then
     echo -n "Assume Into Account [default]:"
@@ -122,7 +136,7 @@ assume-role(){
   fi
 
   # set region
-  AWS_CONFIG_REGION="$(aws configure get region)"
+  AWS_CONFIG_REGION="$(aws configure get region --profile ${default_profile})"
   if [ -z "$aws_region_input" ] && [ -z "$AWS_REGION" ] && [ -z "$AWS_DEFAULT_REGION" ] && [ -z "$AWS_CONFIG_REGION" ] && [ -z "$OUTPUT_TO_EVAL" ]; then
     echo -n "Assume Into Region [us-east-1]: "
     read -r region
@@ -173,12 +187,13 @@ assume-role(){
     fi
 
     # get the username attached to your default creds
-    AWS_USERNAME=$(aws iam get-user --query User.UserName --output text)
+    AWS_USERNAME=$(aws iam get-user --query User.UserName --output text --profile $default_profile)
 
     # get MFA device attached to default creds
     MFA_DEVICE_ARGS=(--user-name $AWS_USERNAME)
     MFA_DEVICE_ARGS+=(--query 'MFADevices[0].SerialNumber')
     MFA_DEVICE_ARGS+=(--output text)
+    MFA_DEVICE_ARGS+=(--profile ${default_profile})
     MFA_DEVICE=$(aws iam list-mfa-devices "${MFA_DEVICE_ARGS[@]}")
     MFA_DEVICE_STATUS=$?
 
@@ -191,7 +206,10 @@ assume-role(){
     SESSION_ARGS=(--duration-seconds $SESSION_TIMEOUT)
     SESSION_ARGS+=(--serial-number ${MFA_DEVICE})
     SESSION_ARGS+=(--token-code ${mfa_token})
+    SESSION_ARGS+=(--profile ${default_profile})
+
     SESSION=$(aws sts get-session-token "${SESSION_ARGS[@]}")
+
     SESSION_STATUS=$?
 
     if [ $SESSION_STATUS -ne 0 ]; then
@@ -216,6 +234,7 @@ assume-role(){
   ROLE_SESSION_ARGS+=(--external-id ${account_id})
   ROLE_SESSION_ARGS+=(--duration-seconds ${ROLE_SESSION_TIMEOUT})
   ROLE_SESSION_ARGS+=(--role-session-name $(date +%s))
+
   ROLE_SESSION=$(aws sts assume-role "${ROLE_SESSION_ARGS[@]}" || echo "fail")
 
   if [ "$ROLE_SESSION" = "fail" ]; then
@@ -235,6 +254,7 @@ assume-role(){
 
   # OUTPUTS ALL THE EXPORTS for eval $(assume-role [args])
   if [ "$OUTPUT_TO_EVAL" = "true" ]; then
+    echo "export AWS_DEFAULT_PROFILE_ASSUME_ROLE=\"$AWS_DEFAULT_PROFILE_ASSUME_ROLE\";"
     echo "export AWS_REGION=\"$AWS_REGION\";"
     echo "export AWS_DEFAULT_REGION=\"$AWS_DEFAULT_REGION\";"
     echo "export AWS_ACCESS_KEY_ID=\"$AWS_ACCESS_KEY_ID\";"
@@ -252,14 +272,17 @@ assume-role(){
 
   # USED FOR TESTING AND DEBUGGING
   if [ "$DEBUG_ASSUME_ROLE" = "true" ]; then
+    echo "AWS_DEFAULT_PROFILE_ASSUME_ROLE=\"$AWS_DEFAULT_PROFILE_ASSUME_ROLE\";"
     echo "AWS_CONFIG_REGION=\"$AWS_CONFIG_REGION\";"
     echo "AWS_USERNAME=\"$AWS_USERNAME\";"
     echo "MFA_DEVICE_ARGS=\"${MFA_DEVICE_ARGS[*]}\";"
     echo "MFA_DEVICE=\"$MFA_DEVICE\";"
     echo "SESSION_ARGS=\"${SESSION_ARGS[*]}\";"
-    echo "SESSION='$SESSION';"
+    echo "SESSION=\"$SESSION\";"
     echo "ROLE_SESSION_ARGS=\"${ROLE_SESSION_ARGS[*]}\";"
-    echo "ROLE_SESSION='$ROLE_SESSION';"
+    echo "ROLE_SESSION=\"$ROLE_SESSION\";"
+    echo "SESSION_TIMEOUT=\"$SESSION_TIMEOUT\";"
+    echo "ROLE_SESSION_TIMEOUT=\"$ROLE_SESSION_TIMEOUT\";"
   fi
 }