sudo-like behavior for role assumed access on AWS accounts

The AWS sudo, inject aws credentials to the command you want to run:

awsudo -u staging env | grep AWS

Results in:

AWS_SESSION_TOKEN=********
AWS_SECRET_ACCESS_KEY=**************
AWS_ACCESS_KEY_ID=********

Notice - awsudo was meant for local usage, it is not for server authentication.

See the Motivation section for more info.

This is how the CLI works under the hood:

(click to see the large version)

It is assumed that you have awscli installed and configured OR at least, the ~/.aws/config file following this pattern:

[profile foo]
role_arn=...
mfa_serial=... (if necessary)
region=...

More information: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

brew tap marceloboeira/formulas
brew install marceloboeira/formulas/awsudo

awsudo - sudo-like behavior for role assumed access on AWS accounts 0.1.1

USAGE:
    awsudo [OPTIONS] --user <user> [SUBCOMMAND]

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information

OPTIONS:
        --cache-dir <DIR>    Custom directory for credentials caching, defaults to ~/.awsudo/
    -c, --config <FILE>      Custom config file, defaults to: ~/.aws/config
    -u, --user <user>        AWS profile name based on the config file

Thanks clap for that.

Get all of the S3 buckets of the production account:

awsudo -u production aws s3 ls

Run a executable that needs AWS credentials:

awsudo -u staging delete_s3_buckets "s3://staging-acc/foo"

This is not required, but interesting:

alias awss='awsudo -u staging'
alias awso='awsudo -u operations'
alias awsp='awsudo -u production'

Then after:

awss [subcomand]

Main motivation was to write something that I would use everyday with rust, the awsudo usecase was quite interesting. The original awsudo is heavily used where I work and it constantly causes pain, the CLI has a couple of issues:

1. Distribution - It was written in Python, which makes it difficult to distribute, also doens't have a homebrew formula
2. Dependencies - It locks the aws-cli version, and depends on code of the CLI itself
3. Versioning - It doesn't have versions whatsoever
4. Bugs - It has a couple of bugs, e.g.: you can't pass AWS_* like variables to your command

The official solution from AWS is not really great either:

1. Stateful - Once you assume you stick with it until it expires or you switch
2. CLI centric - Hard to share the credentials and switch quickly if you are not using their CLI