Skip to content

TOML + Environment Variables

Complete ~/.config/yak/config.toml using environment variables for all sensitive values.

This is the recommended starting point. All secrets come from your shell environment — the same place your existing dotfiles already manage them.

~/.config/yak/config.toml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# ─── Global defaults ──────────────────────────────────────────────────────────
default_account = "dev"
default_role    = "admin"
use_active_role = false

[aws]
credentials_path = "~/.aws/credentials"
config_path      = "~/.aws/config"
region           = "eu-north-1"
sso_start_url    = "${AWS_SSO_URL}"
sso_session_name = "yak"

[paths]
cache_dir = "~/.local/share/yak"
state_dir = "~/.local/share/yak"
log_dir   = "~/.local/share/yak"

[secrets]
cache_ttl = 60    # minutes, 0 = no cache

[safeguards]
enabled                 = true
protected_accounts      = ["prod", "mgmt"]
protected_pattern       = ""
max_power_grade_allowed = "developer"

# ─── Roles ────────────────────────────────────────────────────────────────────
# Built-in power grades: read_only=100, developer=200, admin=300, root=400
[roles]
read_only = "${AWS_VIEWER_ROLE}"
developer = "${AWS_DEVELOPER_ROLE}"
admin     = "${AWS_ELEVATED_ROLE}"
root      = "${AWS_GODMODE_ROLE}"

# ─── Accounts ─────────────────────────────────────────────────────────────────
[[accounts]]
name       = "dev"
account_id = "${AWS_DEV_ACCOUNT_ID}"

[[accounts]]
name       = "sandbox"
account_id = "${AWS_SANDBOX_ACCOUNT_ID}"

[[accounts]]
name       = "test"
account_id = "${AWS_TEST_ACCOUNT_ID}"

[[accounts]]
name           = "prod"
account_id     = "${AWS_PROD_ACCOUNT_ID}"
default_role   = "developer"
allowed_roles  = ["read_only", "developer", "admin"]  # root intentionally excluded
role_overrides = { admin = "${AWS_ADMIN_ROLE}", read_only = "${AWS_READ_ROLE}" }

[[accounts]]
name           = "mgmt"
account_id     = "${AWS_MGMT_ACCOUNT_ID}"
default_role   = "admin"
allowed_roles  = ["read_only", "developer", "admin"]  # root intentionally excluded
role_overrides = { admin = "${AWS_ADMIN_ROLE}", read_only = "${AWS_READ_ROLE}" }

# ─── Aliases ──────────────────────────────────────────────────────────────────
[aliases.accounts]
d      = "dev"
sb     = "sandbox"
t      = "test"
p      = "prod"
m      = "mgmt"

[aliases.roles]
ro  = "read_only"
dev = "developer"
adm = "admin"
rt  = "root"

Required environment variables

Add these to your .zshrc, .bashrc, or auth-env.shrc:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
export AWS_SSO_URL="https://yourorg.awsapps.com/start"

# Role names
export AWS_VIEWER_ROLE="ViewerRole"
export AWS_DEVELOPER_ROLE="DeveloperRole"
export AWS_ELEVATED_ROLE="PrivilegedRole"
export AWS_GODMODE_ROLE="GodModeRole"

# Role overrides for prod-like accounts
export AWS_ADMIN_ROLE="AdministratorRole"
export AWS_READ_ROLE="ReaderRole"

# Account IDs
export AWS_DEV_ACCOUNT_ID="123456789012"
export AWS_SANDBOX_ACCOUNT_ID="234567890123"
export AWS_TEST_ACCOUNT_ID="345678901234"
export AWS_PROD_ACCOUNT_ID="456789012345"
export AWS_MGMT_ACCOUNT_ID="789012345678"