Skip to main content

Command Line Interface

The FireMon Authorization Control (FMAC) command-line interface (CLI) allows you to create access requests from your terminal or scripts.

Installing

To install the FMAC CLI on a Unix-like system, run the following commands in a terminal:

VERSION="0.2.3"
OS=$(uname -s | tr '[:upper:]' '[:lower:]')
ARCH=$(uname -m)
curl -O "https://releases.disruptops.com/fmac/${VERSION}/fmac-artifacts/fmac_${VERSION}_${OS}_${ARCH}.zip"
unzip "fmac_${VERSION}_${OS}_${ARCH}.zip"
sudo mv fmac /usr/local/bin

Usage

To get started, first sign-in to Authorization Control: fmcd signin. Then to create an access request, run fmcd request. This will prompt you for the access template to base your request off of and the cloud account you wish to access. To view more information about the templates you can use to create new requests, run fmcd templates. If you would like to skip the prompt when creating requests, provide the IDs of the template and cloud account you wish to access (and optionally, how long your request will last), e.g. fmcd request --templateId 01FQWER27VASDF12345 --cloudAccountId 1111222223333 --hours 2 --minutes 30.

Auto Approval

If you create a request that is automatically approved (access template must have an approval stragety of AutoApproval), the CLI will automatically retrieve credentials from the Access Server. You can use the --output option to choose how the CLI should print the credentials to standard out. The valid values are:

  • env: (default) print AWS credentials as environment variables
  • ini: print AWS credentials in INI format (i.e. the format used in AWS credential files)
  • url: generate and print a URL for the AWS console using the credentials

These options allow you to create simple, yet convenient and powerful, scripts. For example, to export the AWS credentials as environment variables into your shell for use by other tools (e.g. AWS CLI):

aws sts get-caller-identity
export $(fmac request --output env)
aws sts get-caller-identity

Assuming your request was auto-approved, the second output of aws sts get-caller-identity should have changed to include the role the Access Server assumed on your behalf and that you're now operating as.

The ini option can be used to persist the credentials to an AWS credentials file. For example:

fmac request --output ini | (echo "[default]" && cat) > ~/.aws/fmac.credentials
export AWS_SHARED_CREDENTIALS_FILE="$HOME/.aws/fmac.credentials"

The url option can be used to quickly open the AWS console. For example:

open $(fmac request --output url)

Assumes open is a command that knows how to open URLs. This command is built-in to macOS, but could be replaced with xdg-open on Linux or start on Windows.

When --reuse is true (default) the CLI will try to find an existing request with the same template and cloud account that has not expired. This is useful when you need new AWS credentials but you only want to create a new access request if a valid one does not already exist. For example, maybe your AWS session expired (only valid for up to 1 hour) but your request has not. Or your AWS credential environment variables were cleared because you opened a new terminal.

Note that you can (and most likely will want to) add --templateId and --cloudAccountId to the above examples to skip the prompt, making it automated and that much faster to retrieve AWS credentials.