marceloboeira / awsudo Goto Github PK
View Code? Open in Web Editor NEW> sudo-like behavior for role assumed access on AWS accounts
License: MIT License
> sudo-like behavior for role assumed access on AWS accounts
License: MIT License
aws-cli supports a source_profile
option in the config file which specifies which profile to get the credentials from. I actually don't have a [default]
section in my ~/.aws/credentials file, so that a random aws command would fail to do anything. All my profiles explicitly specify where to get the credentials from.
Some examples here:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
ps.
When I have time, I'll take a look at implementing this. unless someone beats me to it.
Create a brew formula so its easy to install on macOS :)
Sort of hard at this point, since there is no "docker-image" for AWS STS, it would have to be a REAL account structure, with some ROLE authorisation configured...
Might be something nice to do with terraform.
According to the docs here (and the behavior of the aws-cli tool), the profiles, ie. the section names in the ~/.aws/config file should be prefixed with "profile
", for example:
[profile user1]
region=us-east-1
output=text
while awsudo, expects it to be just [user1]
.
AWS allows us to get the STS expiration timestamp from the response, at this point we just assume 1 hour and use that hardcoded all around.
More info:
https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
Start extracting, abstracting and testing. I don't know exactly how I'll do that, but I want to have some parts as independent modules so that it's easier to test and compose/change if needed.
~/.aws/credentials
...Store the tokens while they are valid
Right now, errors are not handled in a way...
$ awsudo -u invalid echo bar
thread 'main' panicked at 'Profile not found', src/main.rs:34:27
note: Run with `RUST_BACKTRACE=1` environment variable to display a backtrace.
it would be better to use something like:
$ awsudo -u invalid echo bar
Error: Profile not found
Make sure to cache the token only during its life time...
Improve #1
Figure how to:
Make it possible to force / purge the cache
e.g.:
awsudo -u production --force ...
-> forces the token generation
At this moment, we use stdin/out
to both print the Please type your MFA token...
and collect the MFA token. That can be intrusive to users that might want to pipe/redirect its output:
awsudo -u production read_consul_logs > logs.txt
If an MFA token needs to be collected, the file output will include the printed stdin
:
Please type your MFA token for arn:aws:iam::9999999999:user/bezos:
MY LOGS
Therefore, we might be better served using /dev/tty
.
Reference:
Find a way you can use:
awsudo -u production aws s3 ls
instead of
awsudo -u production 'aws s3 ls'
That would make it more acceptable since we would be able to create aliases, such as:
alias awsp="awsudo -u production"
awsp AWS_KINESIS_STREAM=funky-stream ./my_project
Update
Still trying to figure a way around clap with this one: clap-rs/clap#1344
It's often necessary to use unix pipes with awsudo
credentials injection...
cat foo.csv | awsudo -u staging s3_uploader
where s3_uploader is a binary that takes stdin
and stream upload to S3.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.