Skip to content
Automated AWS API access using a SAML compliant identity provider
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin
lib
test
.travis.yml
CHANGELOG.md
CONTRIBUTING.md
Gemfile
LICENSE
README.md
Rakefile
awsudo.gemspec

README.md

awsudo + aws-agent

Build Status

Overview

awsudo enables users to execute commands that make API calls to AWS under the security context of an IAM role. The IAM role is assumed only upon successful authentication against a SAML compliant federation service.

aws-agent enables users to authenticate against a SAML compliant federation service once, after which aws-agent provides temporary credentials to awsudo to use.

Synopsis

awsudo {role-name | role-arn} command
 
aws-agent

Requirements

  • UNIX, UNIX-like or GNU/Linux operating system
  • SAML compliant federation service
  • ruby 2.1 or above
  • rubygems: aws-sdk, nokogiri

Install

  sudo gem install awsudo

Configuration

awsudo and aws-agent expect a configuration file named .awsudo in your home directory containing the values for your identity provider login url and the SAML provider name configured in AWS.

Example for AD FS:

IDP = adfs
IDP_LOGIN_URL = https://sts.example.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
SAML_PROVIDER_NAME = adfs

Example for Okta:

IDP = okta
IDP_LOGIN_URL = https://example.okta.com/app/example/abc123/sso/saml
SAML_PROVIDER_NAME = okta
API_ENDPOINT = https://example.okta.com/api/v1

In addition to .awsudo, you can create .aws-roles in your home directory to map IAM roles ARNs to more easy to remember alias names, one per line, separated by spaces. Example:

myaccount-admin  arn:aws:iam::123456789012:role/myaccount-admin

Examples

awsudo

$ awsudo arn:aws:iam::123456789012:role/myaccount-admin aws ec2 describe-tags --region us-west-2
 
$ awsudo myaccount-admin aws ec2 describe-instances --region us-east-1

awsudo will ask your federated credentials every time. To avoid this use aws-agent as follows:

aws-agent

$ aws-agent
Login: username
Password:
AWS_AUTH_SOCK=/var/folders/xz/lx178g0d0rb36x95446zwgd80000gp/T/aws-20150623-20990-58v1c4/agent; export AWS_AUTH_SOCK;

then execute the commands printed by aws-agent. awsudo will now ask for temporary credentials to aws-agent.

Author

Gerardo Santana Gomez Garrido

Contributors

You can’t perform that action at this time.