wakeful/trick

# trick ``` $ trick -h Usage of trick -config string path to config file -refresh int refresh IAM every n minutes (default 12) -region string AWS region used for IAM communication (default "eu-west-1") -role value AWS role to assume (can be specified multiple times) -ui starts role visualization on port 8742 -use value AWS role with meaningful permissions (can be specified multiple times) -verbose verbose log output -version show version ``` ### 安装说明 #### 从源码安装 ``` # 通过 Go 工具链 go install github.com/wakeful/trick ``` #### 使用二进制发布版本 您可以从[发布页面](https://github.com/wakeful/trick/releases/latest)下载预构建的二进制文件并将其添加到您的用户 PATH 中。 ### 简单场景 ``` trick -role arn::42::role-a -role arn::42::role-b -role arn::42::role-c ```

配置文件版本

``` trick -config path/to/config.hcl ``` ``` select_profile = profile.simple # -region eu-west-1 \ # -role arn::42::role-a -role arn::42::role-b -role arn::42::role-c profile "simple" { chain { use { arn = "arn::42::role-a" } use { arn = "arn::42::role-b" } use { arn = "arn::42::role-c" } } } ```

``` stateDiagram rA: role A rB: role B rC: role C [*] --> rA rA --> rB: wait 12min and jump rB --> rC: wait 12min and jump rC --> rA: wait 12min and jump ``` ### 复杂场景 ``` trick -region eu-west-1 -refresh 12 \ -role arn::42::role-a -role arn::42::role-b \ -role arn::42::role-c -role arn::42::role-d \ -use arn::42::role-a -use arn::42::role-d ```

配置文件版本

``` trick -config path/to/config.hcl ``` ``` # -region eu-west-1 -refresh 12 \ # -role arn::42::role-a -role arn::42::role-b \ # -role arn::42::role-c -role arn::42::role-d \ # -use arn::42::role-a -use arn::42::role-d profile "complex" { region = "eu-west-1" chain { ttl = 12 use { arn = "arn::42::role-a" skip = false # Defaults to false; you can skip it. } use { arn = "arn::42::role-b" skip = true } use { arn = "arn::42::role-c" skip = true } use { arn = "arn::42::role-d" } } } ```

``` stateDiagram rA: role A rB: role B rC: role C rD: role D [*] --> rA rA --> rB: wait 12min and jump rB --> rC: B lacks permission so we jump to C rC --> rD: C lacks permission so we jump to D rD --> rA: wait 12min and jump ``` ### UI 可视化 `-ui` 标志会启动一个本地 Web 服务器，将角色链可视化为交互式图表： ``` trick -ui -role arn::42::role-a -role arn::42::role-b -role arn::42::role-c ``` 启动后，在浏览器中打开 `http://127.0.0.1:8742` 即可查看角色链可视化图。 ## 致谢 如果没有以下优秀项目的出色工作，本项目将无法实现： - **[HCL (HashiCorp Configuration Language)](https://github.com/hashicorp/hcl)** - 一种强大而灵活的配置语言，使 `trick` 的配置文件更加直观易用。 - **[Mermaid.js](https://github.com/mermaid-js/mermaid)** - 非常出色的图表和绘图工具，为我们的角色链可视化提供支持。

标签：AssumeRole, AWS, DPI, EVTX分析, Go, HCL, IAM, Ruby工具, 嗅探欺骗, 日志审计, 权限维持, 角色轮换, 账户持久化