Using Powershell to assume roles in different AWS accounts and regions using use

Welcome Forums General PowerShell Q&A Using Powershell to assume roles in different AWS accounts and regions using use

Viewing 1 reply thread
  • Author
    Posts
    • #174784
      Participant
      Topics: 3
      Replies: 3
      Points: 12
      Rank: Member
      Hi All,
      I am trying to write a powershell script. What I want to do is use use-stsRole to assume a role in multiple AWS accounts which we own and run a simple Get-EC2SecurityGroup command to list all security groups we have which match a filter. We have 10 different AWS accounts and the role has been setup correctly. We use MFA also to the root account. The code works in that it will list all the security groups in the root account, but will not show for any other accounts. It just keeps looping over the root account the same number of times as equal to the number of accounts i have listed in the accounts.txt file.
      param(
      [Parameter(Mandatory=$True,Position=1)]
         [string]$IAMname,
      
         [Parameter(Mandatory=$True,Position=2)]
         [string]$MFAcode
          )
      
      $UserARN = "arn:aws:iam::111111111111:mfa/" + $IAMname
      
      Write-host $UserARN
      Write-host $MFACode
      
      $Regions = (Get-SSMParametersByPath -Path '/aws/service/global-infrastructure/regions' -region eu-west-1).Value
      
      $Accounts = get-content -Path .\Accounts.txt
      
      foreach ($Account in $Accounts){
      
      
          $RoleArn = "arn:aws:iam::${Account}:role/name"
          $Authtoken = (Use-STSRole -Region eu-west-1 -RoleArn $Accounts -RoleSessionName "name" -TokenCode $MFAcode -SerialNumber $UserARN).Credentials
      
          foreach ($Region in $Regions){
      
              Get-EC2SecurityGroup -Filter @{Name="ip-permission.cidr";Values="x.x.x.x/x"} -Region $Region -AccessKey $Authtoken.Credentials.AccessKeyId -SecretKey $Authtoken.Credentials.SecretAccessKey -SessionToken $Authtoken.Credentials.SessionToken
          }
      }
    • #174826
      Participant
      Topics: 0
      Replies: 115
      Points: 433
      Helping Hand
      Rank: Contributor

      Hello Hiten,

      Can you please confirm Line 22 is correct? I show you are using -RoleArn $Accounts not $Account. I also see you are are applying a value to $RoleARN multiple times as well. I've revamped the code below to make it easier to read by using splatting method.

      foreach ($Account in $Accounts){
         $RoleArn="arn:aws:iam::${Account}:role/name"
         $STSRole=@{
            Region          = 'eu-west-1'
            RoleARN         = $Account
            RoleSessionName = "name"
            SerialNumber    = $UserARN
            TokenCode       = $MFAcode
         }
         $Authtoken= (Use-STSRole@STSRole).Credentials
         foreach ($Region in $Regions){
            $EC2SecurityGroup=@{
               Filter       = @{Name="ip-permission.cidr";Values="x.x.x.x/x"}
               Region       = $Region
               AccessKey    = $Authtoken.Credentials.AccessKeyId
               SecretKey    = $Authtoken.Credentials.SecretAccessKey
               SessionToken = $Authtoken.Credentials.SessionToken
         }
         Get-EC2SecurityGroup@EC2SecurityGroup
      }
      
      }
Viewing 1 reply thread
  • The topic ‘Using Powershell to assume roles in different AWS accounts and regions using use’ is closed to new replies.