search

andreineculau / fl-aws

Flaws at AWS
Apache License 2.0
15 stars 0 forks source link

aws-sdk-js cannot understand aws-cli assumed roles #7

Open andreineculau opened 7 years ago

andreineculau commented 7 years ago

Given that we are all grown ups and agree that the best way to secure AWS access is via Roles with permissions, and Users with one permission (i.e. to assume a role) - ref https://cloudonaut.io/improve-aws-security-protect-your-keys-with-ease/ - I have an easy shell alias aws_switch that allows me to switch between profiles with different roles.

Problem is that aws-sdk-js (nor other sdks e.g aws-sdk-go) does not understand that my current shell is a AWS environment with an assumed role.

andreineculau commented 7 years ago

For future reference, my aws_switch alias looks like:

function aws_switch() {
    [ $# -gt 0 ] || {
        echo >&2 "Usage: aws_switch profile"
        exit 1
    }
    aws configure list --profile $1 >/dev/null || {
        # echo >&2 "Unknown AWS profile: $1"
        exit 1
    }

    export AWS_DEFAULT_PROFILE=$1

    # Workarounds for the JavaScript SDK
    # - doesn't know about AWS_DEFAULT_PROFILE, but it does obey AWS_PROFILE
    # - doesn't know about the profile configuration's region, but it does obey AWS_REGION
    export AWS_PROFILE=$1
    export AWS_REGION=$(aws configure get region --profile $1)
    export AWS_DEFAULT_REGION=${AWS_REGION}

    echo "Switched to AWS profile: $1"
    aws configure list
}
andreineculau commented 7 years ago

For future reference, getting aws-sdk-js to understand aws-cli's assumed role works via https://gist.github.com/andreineculau/a186c2181a3099a422abc293c8e79fef

andreineculau commented 7 years ago

Alternatively, a solution that works with all aws-sdk-X is to export the secret, key id and the session token into the environment. We use the following, a design that can also be included in a Makefile

#!/usr/bin/env bash

AWS_PROFILE=${AWS_PROFILE:-${AWS_DEFAULT_PROFILE:-}}
[ -n "${AWS_PROFILE}" ] || exit 0

AWS_CLI_CACHE_FILE=$(ls ~/.aws/cli/cache/ | grep "^${AWS_PROFILE}--arn_aws_iam__" | head -1 || true)
[ -n "${AWS_CLI_CACHE_FILE}" ] || exit 0

AWS_CLI_CACHE_FILE=~/.aws/cli/cache/${AWS_CLI_CACHE_FILE}

[ -n "${AWS_SECRET_ACCESS_KEY:-}" ] || \
   AWS_SECRET_ACCESS_KEY=$(cat ${AWS_CLI_CACHE_FILE} | python -c 'import sys,json;print json.load(sys.stdin)["Credentials"]["SecretAccessKey"]')
[ -n "${AWS_ACCESS_KEY_ID:-}" ] || \
  AWS_ACCESS_KEY_ID=$(cat ${AWS_CLI_CACHE_FILE} | python -c 'import sys,json;print json.load(sys.stdin)["Credentials"]["AccessKeyId"]')
[ -n "${AWS_SESSION_TOKEN:-}" ] || \
  AWS_SESSION_TOKEN=$(cat ${AWS_CLI_CACHE_FILE} | python -c 'import sys,json;print json.load(sys.stdin)["Credentials"]["SessionToken"]')

echo "export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}"
echo "export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}"
echo "export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}"