Welcome to awsapicli’s documentation!¶
Contents:
awsapicli¶
A cli tool exposing capabilities of awsapilib like control tower account creation, account renaming and email updating, account termination and more.
Documentation: https://awsapicli.readthedocs.org/en/latest
Project Features¶
Creates an account through Control Tower. Supports nested OU by specifying a parent hierarchy up to 5 levels. It can create the OUs specified automatically if they don’t exist with the usage of the force flag
Requests password reset to activate the root account
Resets the password of the root, activating the account providing the reset url from the request step.
Activate IAM access to the billing console with the usage of the root password
Can update the name and the email of the account
Can activate and deactivate virtual MFA devices.
Installation¶
At the command line:
$ pip install awsapicli
Or, if you have virtualenvwrapper installed:
$ mkvirtualenv awsapicli
$ pip install awsapicli
Or, if you are using pipenv:
$ pipenv install awsapicli
Or, if you are using pipx:
$ pipx install awsapicli
Usage¶
To use aws-account-lifecycle:
aws-account-lifecycle --help
Usage: aws-account-lifecycle [OPTIONS] COMMAND [ARGS]...
Main entry point of the CLI.
Options:
--help Show this message and exit.
Commands:
billing-iam-activate Activate IAM access to billing console on an...
create Create a new account through Control Tower.
mfa-activate Activate virtual MFA on an account.
mfa-deactivate Deactivate virtual MFA on an account.
request-password-reset Request a password reset for an account.
reset-password Reset the password of an account.
terminate Terminate (suspend for 90 days first) an account.
update-email Update the email of an account.
update-name Update the name of an account.
Activating IAM access on billing console
aws-account-lifecycle billing-iam-activate --help
Usage: aws-account-lifecycle billing-iam-activate [OPTIONS]
Activate IAM access to billing console on an account.
Options:
Logging options: [mutually_exclusive]
Sets the level of logging interactively or
accepts a configuration file.
-l, --log-level [debug|info|warning|error]
Provide the log level. Defaults to info.
Mutually exclusive with providing a logging
configuration file.
-L, --log-config FILENAME A config file for logging, mutually
exclusive with setting the logging level
interactively.
-t, --2captcha-token TEXT A valid token for the 2captcha service if
automatic captcha solving is required. Can
read from "TWO_CAPTCHA_API_TOKEN"
environment variable
-m, --mfa-seed TEXT The original mfa seed of the account if
virtual MFA is enabled.
-r, --region TEXT The home region of the account, can read
from "AWS_DEFAULT_REGION" environment
variable [required]
-p, --password TEXT The root password of the account.
[required]
-e, --email TEXT The email to use. [required]
--help Show this message and exit.
Creating an account
aws-account-lifecycle create --help
Usage: aws-account-lifecycle create [OPTIONS]
Create a new account through Control Tower.
Options:
Logging options: [mutually_exclusive]
Sets the level of logging interactively or
accepts a configuration file.
-l, --log-level [debug|info|warning|error]
Provide the log level. Defaults to info.
Mutually exclusive with providing a logging
configuration file.
-L, --log-config FILENAME A config file for logging, mutually
exclusive with setting the logging level
interactively.
-e, --email TEXT The email to use. [required]
-r, --region TEXT The home region of the account, can read
from "AWS_DEFAULT_REGION" environment
variable [required]
-n, --name TEXT The name of the account. [required]
-a, --arn TEXT The arn of the role that can access Control
Tower. [required]
-o, --organizational-unit TEXT The OU to create the account under. Defaults
to "Custom". [required]
-h, --parent-hierarchy TEXT The parent hierarchy of the OU if any, space
delimited. If you want the OU to be created
under Root/GrandParentOU/ParentOU the
arguments would be `-h Root -h GrandParentOU
-h ParentOU`
-p, --product-name TEXT The product name of the account. Defaults to
the account name if not set.
-se, --sso-email TEXT The email for an SSO user. It defaults to
the account email if not set.
-sf, --sso-first-name TEXT The first name for an SSO user. It defaults
to "Control".
-sl, --sso-last-name TEXT The last name for an SSO user. It defaults
to "Tower".
-f, --force-ou-hierarchy-creation
If set and a parent hierarchy is provided
then then the tool will try to create it
even if it does not exist.
--help Show this message and exit.
Activating MFA
aws-account-lifecycle mfa-activate --help
Usage: aws-account-lifecycle mfa-activate [OPTIONS]
Activate virtual MFA on an account.
Options:
Logging options: [mutually_exclusive]
Sets the level of logging interactively or
accepts a configuration file.
-l, --log-level [debug|info|warning|error]
Provide the log level. Defaults to info.
Mutually exclusive with providing a logging
configuration file.
-L, --log-config FILENAME A config file for logging, mutually
exclusive with setting the logging level
interactively.
-t, --2captcha-token TEXT A valid token for the 2captcha service if
automatic captcha solving is required. Can
read from "TWO_CAPTCHA_API_TOKEN"
environment variable
-m, --mfa-seed TEXT The original mfa seed of the account if
virtual MFA is enabled.
-r, --region TEXT The home region of the account, can read
from "AWS_DEFAULT_REGION" environment
variable [required]
-p, --password TEXT The root password of the account.
[required]
-e, --email TEXT The email to use. [required]
-d, --device-name TEXT The name of the virtual device. Defaults to
"root-account-mfa-device" [required]
--help Show this message and exit.
Deactivating MFA
aws-account-lifecycle mfa-deactivate --help
Usage: aws-account-lifecycle mfa-deactivate [OPTIONS]
Deactivate virtual MFA on an account.
Options:
Logging options: [mutually_exclusive]
Sets the level of logging interactively or
accepts a configuration file.
-l, --log-level [debug|info|warning|error]
Provide the log level. Defaults to info.
Mutually exclusive with providing a logging
configuration file.
-L, --log-config FILENAME A config file for logging, mutually
exclusive with setting the logging level
interactively.
-t, --2captcha-token TEXT A valid token for the 2captcha service if
automatic captcha solving is required. Can
read from "TWO_CAPTCHA_API_TOKEN"
environment variable
-m, --mfa-seed TEXT The original mfa seed of the account if
virtual MFA is enabled.
-r, --region TEXT The home region of the account, can read
from "AWS_DEFAULT_REGION" environment
variable [required]
-p, --password TEXT The root password of the account.
[required]
-e, --email TEXT The email to use. [required]
-d, --device-serial TEXT The serial of the virtual device in the form
of arn:aws:iam::ACCOUNTID:mfa/DEVICE_NAME.
[required]
--help Show this message and exit.
Request a password reset
aws-account-lifecycle request-password-reset --help
Usage: aws-account-lifecycle request-password-reset [OPTIONS]
Request a password reset for an account.
Options:
Logging options: [mutually_exclusive]
Sets the level of logging interactively or
accepts a configuration file.
-l, --log-level [debug|info|warning|error]
Provide the log level. Defaults to info.
Mutually exclusive with providing a logging
configuration file.
-L, --log-config FILENAME A config file for logging, mutually
exclusive with setting the logging level
interactively.
-e, --email TEXT The email to use. [required]
-t, --2captcha-token TEXT A valid token for the 2captcha service if
automatic captcha solving is required. Can
read from "TWO_CAPTCHA_API_TOKEN"
environment variable
--help Show this message and exit.
Reset password
aws-account-lifecycle reset-password --help
Usage: aws-account-lifecycle reset-password [OPTIONS]
Reset the password of an account.
Options:
Logging options: [mutually_exclusive]
Sets the level of logging interactively or
accepts a configuration file.
-l, --log-level [debug|info|warning|error]
Provide the log level. Defaults to info.
Mutually exclusive with providing a logging
configuration file.
-L, --log-config FILENAME A config file for logging, mutually
exclusive with setting the logging level
interactively.
-r, --reset-url TEXT [required]
-p, --password TEXT The root password of the account.
[required]
--help Show this message and exit.
Terminate an account
aws-account-lifecycle terminate --help
Usage: aws-account-lifecycle terminate [OPTIONS]
Terminate (suspend for 90 days first) an account.
Options:
Logging options: [mutually_exclusive]
Sets the level of logging interactively or
accepts a configuration file.
-l, --log-level [debug|info|warning|error]
Provide the log level. Defaults to info.
Mutually exclusive with providing a logging
configuration file.
-L, --log-config FILENAME A config file for logging, mutually
exclusive with setting the logging level
interactively.
-t, --2captcha-token TEXT A valid token for the 2captcha service if
automatic captcha solving is required. Can
read from "TWO_CAPTCHA_API_TOKEN"
environment variable
-m, --mfa-seed TEXT The original mfa seed of the account if
virtual MFA is enabled.
-r, --region TEXT The home region of the account, can read
from "AWS_DEFAULT_REGION" environment
variable [required]
-p, --password TEXT The root password of the account.
[required]
-e, --email TEXT The email to use. [required]
--help Show this message and exit.
Update an account email
aws-account-lifecycle update-email --help
Usage: aws-account-lifecycle update-email [OPTIONS]
Update the email of an account.
Options:
Logging options: [mutually_exclusive]
Sets the level of logging interactively or
accepts a configuration file.
-l, --log-level [debug|info|warning|error]
Provide the log level. Defaults to info.
Mutually exclusive with providing a logging
configuration file.
-L, --log-config FILENAME A config file for logging, mutually
exclusive with setting the logging level
interactively.
-t, --2captcha-token TEXT A valid token for the 2captcha service if
automatic captcha solving is required. Can
read from "TWO_CAPTCHA_API_TOKEN"
environment variable
-m, --mfa-seed TEXT The original mfa seed of the account if
virtual MFA is enabled.
-r, --region TEXT The home region of the account, can read
from "AWS_DEFAULT_REGION" environment
variable [required]
-p, --password TEXT The root password of the account.
[required]
-e, --email TEXT The email to use. [required]
-n, --new-email TEXT The email to update to. [required]
--help Show this message and exit.
Update an account name
aws-account-lifecycle update-name --help
Usage: aws-account-lifecycle update-name [OPTIONS]
Update the name of an account.
Options:
Logging options: [mutually_exclusive]
Sets the level of logging interactively or
accepts a configuration file.
-l, --log-level [debug|info|warning|error]
Provide the log level. Defaults to info.
Mutually exclusive with providing a logging
configuration file.
-L, --log-config FILENAME A config file for logging, mutually
exclusive with setting the logging level
interactively.
-t, --2captcha-token TEXT A valid token for the 2captcha service if
automatic captcha solving is required. Can
read from "TWO_CAPTCHA_API_TOKEN"
environment variable
-m, --mfa-seed TEXT The original mfa seed of the account if
virtual MFA is enabled.
-r, --region TEXT The home region of the account, can read
from "AWS_DEFAULT_REGION" environment
variable [required]
-p, --password TEXT The root password of the account.
[required]
-e, --email TEXT The email to use. [required]
-n, --name TEXT The name of the account. [required]
--help Show this message and exit.
Contributing¶
Contributions are welcome, and they are greatly appreciated! Every little bit helps, and credit will always be given.
Submit Feedback¶
If you are proposing a feature:
Explain in detail how it would work.
Keep the scope as narrow as possible, to make it easier to implement.
Get Started!¶
Ready to contribute? Here’s how to set up awsapicli for local development. Using of pipenv is highly recommended.
Clone your fork locally:
$ git clone https://github.com/schubergphilis/awsapicli.git
Install your local copy into a virtualenv. Assuming you have pipenv installed, this is how you set up your clone for local development:
$ cd awsapicli/ $ pipenv install --ignore-pipfile
Create a branch for local development:
$ git checkout -b name-of-your-bugfix-or-feature
Now you can make your changes locally. Do your development while using the CI capabilities and making sure the code passes lint, test, build and document stages.
Commit your changes and push your branch to the server:
$ git add . $ git commit -m "Your detailed description of your changes." $ git push origin name-of-your-bugfix-or-feature
Submit a merge request
awsapicli¶
awsapicli package¶
Submodules¶
awsapicli.actions module¶
actions package.
Import all parts from actions here
- awsapicli.actions.activate_iam_billing(options, console)[source]¶
Activates IAM access to the billing console.
- Parameters
options – The options provided by click
console – The console provided by rich
- Returns
True os success False on failure
- Return type
result (bool)
- awsapicli.actions.activate_mfa(options, console)[source]¶
Activates virtual MFA on an account.
- Parameters
options – The options provided by click
console – The console provided by rich
- Returns
The device representation returned by the activation process.
- Return type
device (VirtualMFADevice)
- awsapicli.actions.deactivate_mfa(options, console)[source]¶
Deactivates the virtual MFA of an account.
- Parameters
options – The options provided by click
console – The console provided by rich
- Returns
True os success False on failure
- Return type
result (bool)
- awsapicli.actions.get_account_manager_arguments(options)[source]¶
Prepares the standard arguments for account manager actions.
- awsapicli.actions.get_password_manager_arguments(options)[source]¶
Prepares the standard arguments for password manager actions.
- awsapicli.actions.password_reset(options, console)[source]¶
Resets an account root password.
- Parameters
options – The options provided by click
console – The console provided by rich
- Returns
True os success False on failure
- Return type
result (bool)
- awsapicli.actions.password_reset_request(options, console)[source]¶
Requests a password reset link.
- Parameters
options – The options provided by click
console – The console provided by rich
- Returns
True os success False on failure
- Return type
result (bool)
- awsapicli.actions.terminate_account(options, console)[source]¶
Terminates an account.
- Parameters
options – The options provided by click
console – The console provided by rich
- Returns
True os success False on failure
- Return type
result (bool)
awsapicli.awsapicli module¶
Main code for awsapicli.
awsapicli.awsapicliexceptions module¶
Custom exception code for awsapicli.
awsapicli.options module¶
options package.
Import all parts from options here
awsapicli.validators module¶
validation package.
Import all parts from validation here
- awsapicli.validators.generate_random_string(length)[source]¶
Generates a random string according to the length provided.
- awsapicli.validators.get_random_account_email(account_email)[source]¶
Generates a random email up to the maximum size allowed.
- awsapicli.validators.get_random_account_name(account_name)[source]¶
Generates a random name up to the maximum size allowed.
- awsapicli.validators.validate_account_password(ctx, param, value)[source]¶
Validates an account password.
Module contents¶
awsapicli package.
Import all parts from awsapicli here
Credits¶
Development Lead¶
Costas Tyfoxylos <ctyfoxylos@schubergphilis.com>
Contributors¶
None yet. Why not be the first?
History¶
0.0.1 (24-12-2021)¶
First code creation
0.1.0 (29-12-2021)¶
Initial release
0.1.1 (29-12-2021)¶
Disabled Iterm solver since the rendering does not work with the rich framework.
0.1.2 (29-12-2021)¶
Linted code.
0.1.3 (29-12-2021)¶
Bumped dependencies for a fix on account creation.
0.1.4 (30-12-2021)¶
Bumped dependencies and fixed typo.
0.1.5 (26-04-2022)¶
Updated dependencies.
0.1.6 (06-05-2022)¶
Fixed IAM login workflow in dependency.