- This tool is deeply inspired from makethunder/awsudo.
- This project is to help me to learn python and I'm far from being perfect. Advices are welcomed but also remember that I have an opinion.
- I had to have multiple aws keys of multiple users.
- The command provided to
awsudo2has its environment enriched with AWS standard variables.
$ awsudo2 -u default env | grep AWS
AWS_ACCESS_KEY_ID=...
AWS_SECRET_ACCESS_KEY=...
AWS_SESSION_TOKEN=...
AWS_SECURITY_TOKEN=...
AWS_PROFILE=default
AWS_DEFAULT_REGION=...- Get temporary credentials for a given role (profile
some-role):
$ awsudo2 -u some-profile env | grep AWSThis is useful for running aws-cli or terraform.
- Get temporary credentials for you (profile
default):
$ awsudo2 -u default env | grep AWSThis is useful when using programs which which able to call AssumeRole themselves, like terragrunt.
- Have your user security token cached: The first call is doing MFA authentication if needed. The next ones will re-use the cached session tokens (in ~/.aws/awsudo2/cache) for the specified
duration_seconds:
$ awsudo2 -u default echo Hello
Enter MFA code of device arn:aws:iam::123456789012:mfa/some-username:
Hello
$ awsudo2 -u default echo Hello
Helloawsudo2also usesAWS_PROFILE:
$ export AWS_PROFILE some-profile
$ awsudo2 echo Hello
Hello- Save your
config
The profiles are searched in the two aws's files: awsudo2 doesn't check which file contains what. This logic permits to put mfa_serial in credentials. So personnal data is only in credentials and config can be shared between colleagues.
- completion with an
oh-my-zsh
$ awsudo2 <tab>
$ awsudo2 -u <tab>
default some-profile some-other-profile
$ awsudo2 -u some-profile <tab>
zsh: do you wish to see all 3328 possibilities (3328 lines)?If AWS_PROFILE is defined, no argument is needed and none will be proposed by the completion. This is useful when used with aliases. For example, the completion of aws command will be performed:
$ export AWS_PROFILE=some-profile
$ alias aws="awsudo2 aws"
$ aws <tab>
...- Be creative!
I use aws plugin of oh-my-zsh. My experience goes like this:
$ export AWS_PROFILE=some-profile
$ alias aws='awsudo2 aws' <aws:some-profile>
$ aws sts get-caller-identity <aws:some-profile>
{
"UserId": "...",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/some-role/default"
}
$ AWS_PROFILE=some-other-profile aws sts get-caller-identity <aws:some-profile>
{
"UserId": "...",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/some-other-role/default"
}
$ awsudo2 docker run --rm -ti -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN whatever-images
...As aws is an alias to awsudo2 aws, the security token is refreshed at each command invocation without having to enter my MFA token up to one and a half day (default value for user tokens).
- Have
python3andpip3installed to your tastes. - Have aws-cli setup with your keys.
$ pip3 install git+https://github.com/outersystems/awsudo2.git$ cat ~/.aws/config
[profile default]
source_profile = default
region = us-east-1
duration_seconds = 129600
[profile some-profile]
role_arn = arn:aws:iam::123456789012:role/some-rolename
source_profile = default
region = us-east-1
[profile some-other-profile]
role_arn = arn:aws:iam::123456789012:role/some-other-rolename
source_profile = default
region = us-east-1$ cat ~/.aws/credentials
[default]
aws_access_key_id = AKIAIXAKX3ABKZACKEDN
aws_secret_access_key = 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
mfa_serial = arn:aws:iam::123456789012:mfa/some-username