CLI Usage

Use timebound-iam as a standalone CLI to grant scoped, temporary AWS credentials for shell scripts and automation.

1 exec

Runs a command with temporary AWS credentials injected into its environment. The child process receives AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN automatically.

timebound-iam exec -s s3:full,cloudfront:full -t 30m --profile prod -- ./deploy.sh

Everything after -- is the command (and its arguments) to run. The credentials expire after the TTL, even if the command is still running.

Use --dry-run to validate your scopes and see the summary without requesting credentials. Use --no-confirm to skip the interactive confirmation prompt (useful in CI or self-wrapping scripts).
2 env

Prints export or unset statements for AWS credential environment variables. Wrap the call with eval to apply them to your current shell session.

Set credentials:

eval "$(timebound-iam env -s s3:ro -t 15m --no-confirm)"

Clear credentials:

eval "$(timebound-iam env --unset)"

The --unset flag prints unset statements for AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN, letting you clean up after you are done.

3 Scopes

Scopes follow the format service:level where level is ro (read-only) or full (read + write). You can pass multiple scopes as a comma-separated list or with repeated -s flags.

Comma-separated:

timebound-iam exec -s s3:ro,dynamodb:full -t 15m -- aws s3 ls

Repeated flags:

timebound-iam exec -s s3:ro -s dynamodb:full -t 15m -- aws s3 ls

Both forms are equivalent. Use whichever is more readable for your use case.

4 Self-wrap Pattern

A script can acquire its own credentials by checking for an existing session and re-executing itself through timebound-iam exec when one is missing. This makes deploying a single ./deploy.sh call. 

#!/bin/bash
set -e

# Self-wrap: if no session credentials, re-exec through timebound-iam
if [ -z "$AWS_SESSION_TOKEN" ]; then
    exec timebound-iam exec \
        -s s3:full,cloudfront:full \
        -t 30m \
        --profile prod \
        --no-confirm \
        -- "$0" "$@"
fi

# From here on, AWS credentials are in the environment
aws s3 sync dist/ s3://my-bucket --delete
aws cloudfront create-invalidation \
    --distribution-id E1234567890 \
    --paths "/*"

On the first run, $AWS_SESSION_TOKEN is unset, so the script calls exec timebound-iam exec ... -- "$0" "$@" which replaces the current process with itself under temporary credentials. On the second invocation, the token exists and the script falls through to the actual work.

The --no-confirm flag is important here to avoid prompting on the re-exec. Without it, the confirmation prompt would appear every time the script re-invokes itself.
5 Flags

Both exec and env share the following flags:

-s, --scope Service scope in service:level format. Repeatable or comma-separated. Required.
-t, --ttl Credential time-to-live (e.g. 15m, 1h, 4h). Required.
--profile AWS profile name. Uses default credentials if omitted.
--dry-run Show the request summary and exit without requesting credentials.
--no-confirm Skip the interactive confirmation prompt. Useful for CI and self-wrapping scripts.

The env subcommand has one additional flag:

--unset Print unset statements to clear AWS credential environment variables. Standalone; does not require -s or -t.