Cloud Authentication via CLI - SethBodine/audit-tools GitHub Wiki

Authentication commands for each supported cloud provider. Run these inside the container after starting it. Ensure credentials are configured before running any assessment tools.

Authentication Commands via CLI

AWS

Credentials and Configuration files

The AWS CLI stores credentials and config in the following locations. Files are created automatically via aws configure or manually.

OS Path
Linux / macOS ~/.aws/
Windows %USERPROFILE%\.aws\
File Purpose
config Region and output format
credentials Access key, secret key, and optional session token

With MFA

The AWS Account needs to be set-up with Access Key and Secret Key, if MFA is configured, it will be configured with a Virtual MFA Device. This ARN can be found in your IAM Account.

aws configure                             # May not be required
aws sts get-session-token --serial-number arn:aws:iam::<accountnumber>:mfa/<username> --token-code <6 Digit Code>
aws configure                             # Update Secret and Key
aws configure set aws_session_token <SESSION_TOKEN_HERE> # Add temporary Session Token
aws iam generate-credential-report        # Generates IAM Credential Report

Without MFA

Note: Not recommended.

aws configure                             # Update Secret and Key
aws iam generate-credential-report        # Generates IAM Credential Report

IAM Roles

To assume a role, add a profile to the credentials file:

[<profile-name>]
    role_arn = arn:aws:iam::<account-number>:role/<role-name>
    source_profile = default

Then use the profile:

aws iam generate-credential-report --profile <profile-name>

See the AWS documentation for more detail.

Azure

Browser-Based Login (recommended)

az login

Device Code Login (no browser available)

az login --use-device-code

Navigate to the URL shown and enter the code to complete authentication.

GCP

gcloud auth login --no-launch-browser
gcloud projects list
gcloud config set project <PROJECT_ID>

Oracle Cloud (OCI)

TBC - setup is more involved than other providers.

Kubernetes

AKS (Azure Kubernetes Service)

# Ensure you are logged into Azure first
sudo az aks install-cli
az aks get-credentials -g <RESOURCE_GROUP> -n <CLUSTER_NAME>
kubelogin convert-kubeconfig -l azurecli
kubectl get nodes

EKS (AWS Elastic Kubernetes Service)

# Ensure you are logged into AWS first
aws eks update-kubeconfig --region <region> --name <cluster-name>
kubectl get nodes
⚠️ **GitHub.com Fallback** ⚠️