Skip to content
/ awsudo Public

> sudo-like behavior for role assumed access on AWS accounts

License

MIT license
21 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

marceloboeira/awsudo

BranchesTags

Repository files navigation

sudo-like behavior for role assumed access on AWS accounts

What does it do?

The AWS sudo, inject aws credentials to the command you want to run:

awsudo -u staging env | grep AWS

Results in:

AWS_SESSION_TOKEN=********
AWS_SECRET_ACCESS_KEY=**************
AWS_ACCESS_KEY_ID=********

Notice - awsudo was meant for local usage, it is not for server authentication.

See the Motivation section for more info.

Workflow

This is how the CLI works under the hood:

(click to see the large version)

Setup

It is assumed that you have awscli installed and configured OR at least, the ~/.aws/config file following this pattern:

[profile foo]
role_arn=...
mfa_serial=... (if necessary)
region=...

More information: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

macOS

brew tap marceloboeira/formulas
brew install marceloboeira/formulas/awsudo

Usage

awsudo - sudo-like behavior for role assumed access on AWS accounts 0.1.1

USAGE:
    awsudo [OPTIONS] --user <user> [SUBCOMMAND]

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information

OPTIONS:
        --cache-dir <DIR>    Custom directory for credentials caching, defaults to ~/.awsudo/
    -c, --config <FILE>      Custom config file, defaults to: ~/.aws/config
    -u, --user <user>        AWS profile name based on the config file

Thanks clap for that.

Examples

Get all of the S3 buckets of the production account:

awsudo -u production aws s3 ls

Run a executable that needs AWS credentials:

awsudo -u staging delete_s3_buckets "s3://staging-acc/foo"

Aliases

This is not required, but interesting:

alias awss='awsudo -u staging'
alias awso='awsudo -u operations'
alias awsp='awsudo -u production'

Then after:

awss [subcomand]

Motivation

Main motivation was to write something that I would use everyday with rust, the awsudo usecase was quite interesting. The original awsudo is heavily used where I work and it constantly causes pain, the CLI has a couple of issues:

  1. Distribution - It was written in Python, which makes it difficult to distribute, also doens't have a homebrew formula
  2. Dependencies - It locks the aws-cli version, and depends on code of the CLI itself
  3. Versioning - It doesn't have versions whatsoever
  4. Bugs - It has a couple of bugs, e.g.: you can't pass AWS_* like variables to your command

The official solution from AWS is not really great either:

  1. Stateful - Once you assume you stick with it until it expires or you switch
  2. CLI centric - Hard to share the credentials and switch quickly if you are not using their CLI

About

> sudo-like behavior for role assumed access on AWS accounts

Topics

cli aws authentication sudo aws-cli roles-management sudo-like

Resources

Readme

License

MIT license
Activity

Stars

21 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases 3

0.1.1 Latest
Apr 21, 2019
+ 2 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages