axolotl (ax) is an opinionated CLI that minimally emulates the behavior of the aws-vault exec command to run ad-hoc commands or switch to a subshell of a specific AWS profiles on the fly.
Additionally, credentials are obtained automatically using gimme-aws-creds to make a simple one command workflow for switching AWS profiles and credentials. This behavior can be disabled by running ax --no-verify and re-enabled by ax --verify.
If you're installing direct from source instead of with homebrew and you want the default automatic credential acquisition to work you'll need to install gimme-aws-creds yourself. This is automatically taken care of when installing with homebrew.
This is a Go CLI and as such can be installed the standard Go way if you have a working Go installation. A homebrew package is automatically provided for tagged releases if you don't have or want Go installed on your computer.
Install with go install
go install github.com/ArcadiaPower/axolotl@latestOR
Install with homebrew
brew tap ArcadiaPower/tap
brew install ArcadiaPower/tap/axolotlNote: Installing with homebrew has the added benefit of automatically installing gimme-aws-creds as a dependency if it wasn't already installed.
The configuration file is created automatically at $HOME/.config/ax/config.yaml if it doesn't already exist.
- autogimmeawscreds - This enables automatic credential verification and acquisition with
gimme-aws-creds, the default is true. - defaultregion - This sets the default AWS region that will be used, the default is
us-east-1.
To switch to a named profile and the default AWS Region of us-east-1:
ax --profile example-stagingTo switch to a named profile and a specific AWS Region:
ax --profile example-staging --region us-west-2Same as the last example, but use short flags:
ax -p example-staging -r us-west-2Execute a single command using a named profile:
ax -p example-staging -- aws sts get-caller-identityChange the default region to us-west-2 and execute a single command using a named profile without having to specify the region:
ax --default-region us-west-2
ax -p example-staging -- aws sts get-caller-identityIf you run ax without passing any arguments the tool provides autocomplete and tabcomplete functionality based on the profile names in your local ~/.aws/credentials file or the file specified by the $AWS_SHARED_CREDENTIALS_FILE environment variable if set.
This tool exists thanks to the inspiration of far greater utilities, specifically aws-vault, saml2aws, and gimme-aws-creds. It's born out of a need for a workflow to authenticate many AWS accounts via Okta SSO and solves a specific niche that the existing tools didn't quite cover.
I wanted the simplicity of the aws-vault exec command with the requirement for Okta based SAML authentication which wasn't an option because the authors of aws-vault recommend other tools like saml2aws for obtaining credentials through a SAML provider: 99designs/aws-vault#235
gimme-aws-creds was a better fit than saml2aws for obtaining the credentials since it allows getting credentials for all profiles rather than one by one. This tool simply recreates a minimal version of aws-vault exec with gimme-aws-creds as the mechanism for obtaining credentials.
ax is released under the MIT License