Nucleator CLI Reference

SYNOPSIS

nucleator account rolespec list [options]
nucleator account rolespec provision [options]
nucleator account rolespec validate [options]

DESCRIPTION

'nucleator account rolespec` provides convenient tools through which:

  • the publishers of Nucleator Stacksets can share specifications for the IAM Role(s) required for the published Stackset to function properly.

  • a consumer of one or more Nucleator Stacksets can list and review the specified IAM Roles to determine whether or not to use the Stackset and provision the required Roles in a target AWS Account

  • easily and conveniently provision the specified IAM Roles into a specified AWS Account

  • validate that required cross-account trust policies have been estabished properly, that provisioned IAM Roles can be assumed and that temporary credentials can be obtained from the AWS Secure Token Service as required for Nucleator to operate across AWS Account boundaries in a secure manner.

SUBCOMMANDS

ROLESPEC LIST

nucleator rolespec list

[--commandname <stackset_name>] [--rolename <role_name>] [-h | --help]

By default, provides a terse listing of role specifications for all installed Nucleator Stacksets.

If --commandname is specified, provides a terse listing of the role specification for the specified <stackset_name>.

If --rolename is specified, provides a full listing of the role with the specified <role_name>

ROLESPEC PROVISION

nucleator rolespec provision

--customer <customer_name> --account <account_name> [--commandname <stackset_name>] [--rolename <role_name>] [-h | --help]

Provisions specified IAM Role(s) in specified AWS Account.

--customer <customer_name>

The name of the customer from which configuration for AWS Accounts and Nucleator Cages should be drawn. See also [FILES].

--account <account_name>

The friendly account name of the AWS Account within which IAM Roles should be provisioned. The friendly account name is drawn from the configuration file for the specified customer, see also [FILES].

--commandname <stackset_name>

If specified, provisions only those IAM Roles in the role specification for for <stackset_name>.

--rolename <role_name>

If specified, provisions only the IAM Role with name <role_name>.

ROLESPEC VALIDATE

nucleator rolespec validate

--customer <customer_name> --account <account_name> [--commandname <stackset_name>] [--rolename <role_name>] [-h | --help]

Validates that temporary credentials in each target AWS Account can be obtained for IAM Role(s) that include a trust policy to NucleatorAgent in a source AWS Account.

+ --customer <customer_name>:: The name of the customer for which Nucleator should validate cross-account access.

--account <account_name>

Currently unused. Source and target AWS Account information is drawn from the customer configuration for the specified customer. See also [FILES].

--commandname <stackset_name>

If specified, validates only those IAM Roles in the role specification for for <stackset_name> that include a trust policy for the NucleatorAgent Principal.

--rolename <role_name>

If specified, validates only the IAM Role with name <role_name>, only if that role includes a trust policy for the NucleatorAgent Principal.

FILES

~/.nucleator/

Configuratin directory for local nucleator configuration.

~/.nucleator/<customer_name>-credentials.yml

Config file with AWS IAM User credentials to be used by rolespec provision. Credentials can also be provided in the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

STACKSET_ROOT/ansible/role_specifications.yml

Role specification file for each Nucleator Stackset. Role specifications can include multiple required IAM Roles. A trust policy and access policy are specified for each specified IAM Role. Trust policies support embedded Jinja2 templates so that cross-account trust can be easily established based on the contents of the customer’s siteconfig.

~/.nucleator/siteconfig/<customer>.yml

Customer configuration file, defines AWS Account friendly names and mappings to Nucleator Cages. Both of these can be used in Jinja2 templates within specified trust polies to implement seamless cross-account access where appropriate.

NUCLEATOR

Part of the nucleator(1) suite

Installation Documentation Releases License Community