Using Powershell to assume roles in different AWS accounts and regions using use

Welcome Forums General PowerShell Q&A Using Powershell to assume roles in different AWS accounts and regions using use

This topic contains 1 reply, has 2 voices, and was last updated by

 
Participant
2 weeks, 1 day ago.

  • Author
    Posts
  • #174784

    Participant
    Topics: 3
    Replies: 3
    Points: 12
    Rank: Member
    Hi All,
    I am trying to write a powershell script. What I want to do is use use-stsRole to assume a role in multiple AWS accounts which we own and run a simple Get-EC2SecurityGroup command to list all security groups we have which match a filter. We have 10 different AWS accounts and the role has been setup correctly. We use MFA also to the root account. The code works in that it will list all the security groups in the root account, but will not show for any other accounts. It just keeps looping over the root account the same number of times as equal to the number of accounts i have listed in the accounts.txt file.
    param(
    [Parameter(Mandatory=$True,Position=1)]
       [string]$IAMname,
    
       [Parameter(Mandatory=$True,Position=2)]
       [string]$MFAcode
        )
    
    $UserARN = "arn:aws:iam::111111111111:mfa/" + $IAMname
    
    Write-host $UserARN
    Write-host $MFACode
    
    $Regions = (Get-SSMParametersByPath -Path '/aws/service/global-infrastructure/regions' -region eu-west-1).Value
    
    $Accounts = get-content -Path .\Accounts.txt
    
    foreach ($Account in $Accounts){
    
    
        $RoleArn = "arn:aws:iam::${Account}:role/name"
        $Authtoken = (Use-STSRole -Region eu-west-1 -RoleArn $Accounts -RoleSessionName "name" -TokenCode $MFAcode -SerialNumber $UserARN).Credentials
    
        foreach ($Region in $Regions){
    
            Get-EC2SecurityGroup -Filter @{Name="ip-permission.cidr";Values="x.x.x.x/x"} -Region $Region -AccessKey $Authtoken.Credentials.AccessKeyId -SecretKey $Authtoken.Credentials.SecretAccessKey -SessionToken $Authtoken.Credentials.SessionToken
        }
    }
  • #174826

    Participant
    Topics: 0
    Replies: 100
    Points: 363
    Helping Hand
    Rank: Contributor

    Hello Hiten,

    Can you please confirm Line 22 is correct? I show you are using -RoleArn $Accounts not $Account. I also see you are are applying a value to $RoleARN multiple times as well. I've revamped the code below to make it easier to read by using splatting method.

    foreach ($Account in $Accounts){
       $RoleArn="arn:aws:iam::${Account}:role/name"
       $STSRole=@{
          Region          = 'eu-west-1'
          RoleARN         = $Account
          RoleSessionName = "name"
          SerialNumber    = $UserARN
          TokenCode       = $MFAcode
       }
       $Authtoken= (Use-STSRole@STSRole).Credentials
       foreach ($Region in $Regions){
          $EC2SecurityGroup=@{
             Filter       = @{Name="ip-permission.cidr";Values="x.x.x.x/x"}
             Region       = $Region
             AccessKey    = $Authtoken.Credentials.AccessKeyId
             SecretKey    = $Authtoken.Credentials.SecretAccessKey
             SessionToken = $Authtoken.Credentials.SessionToken
       }
       Get-EC2SecurityGroup@EC2SecurityGroup
    }
    
    }

You must be logged in to reply to this topic.