Open andreineculau opened 7 years ago
For future reference, my aws_switch
alias looks like:
function aws_switch() {
[ $# -gt 0 ] || {
echo >&2 "Usage: aws_switch profile"
exit 1
}
aws configure list --profile $1 >/dev/null || {
# echo >&2 "Unknown AWS profile: $1"
exit 1
}
export AWS_DEFAULT_PROFILE=$1
# Workarounds for the JavaScript SDK
# - doesn't know about AWS_DEFAULT_PROFILE, but it does obey AWS_PROFILE
# - doesn't know about the profile configuration's region, but it does obey AWS_REGION
export AWS_PROFILE=$1
export AWS_REGION=$(aws configure get region --profile $1)
export AWS_DEFAULT_REGION=${AWS_REGION}
echo "Switched to AWS profile: $1"
aws configure list
}
For future reference, getting aws-sdk-js
to understand aws-cli
's assumed role works via
https://gist.github.com/andreineculau/a186c2181a3099a422abc293c8e79fef
Alternatively, a solution that works with all aws-sdk-X is to export the secret, key id and the session token into the environment. We use the following, a design that can also be included in a Makefile
#!/usr/bin/env bash
AWS_PROFILE=${AWS_PROFILE:-${AWS_DEFAULT_PROFILE:-}}
[ -n "${AWS_PROFILE}" ] || exit 0
AWS_CLI_CACHE_FILE=$(ls ~/.aws/cli/cache/ | grep "^${AWS_PROFILE}--arn_aws_iam__" | head -1 || true)
[ -n "${AWS_CLI_CACHE_FILE}" ] || exit 0
AWS_CLI_CACHE_FILE=~/.aws/cli/cache/${AWS_CLI_CACHE_FILE}
[ -n "${AWS_SECRET_ACCESS_KEY:-}" ] || \
AWS_SECRET_ACCESS_KEY=$(cat ${AWS_CLI_CACHE_FILE} | python -c 'import sys,json;print json.load(sys.stdin)["Credentials"]["SecretAccessKey"]')
[ -n "${AWS_ACCESS_KEY_ID:-}" ] || \
AWS_ACCESS_KEY_ID=$(cat ${AWS_CLI_CACHE_FILE} | python -c 'import sys,json;print json.load(sys.stdin)["Credentials"]["AccessKeyId"]')
[ -n "${AWS_SESSION_TOKEN:-}" ] || \
AWS_SESSION_TOKEN=$(cat ${AWS_CLI_CACHE_FILE} | python -c 'import sys,json;print json.load(sys.stdin)["Credentials"]["SessionToken"]')
echo "export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}"
echo "export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}"
echo "export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}"
Given that we are all grown ups and agree that the best way to secure AWS access is via Roles with permissions, and Users with one permission (i.e. to assume a role) - ref https://cloudonaut.io/improve-aws-security-protect-your-keys-with-ease/ - I have an easy shell alias
aws_switch
that allows me to switch between profiles with different roles.Problem is that aws-sdk-js (nor other sdks e.g aws-sdk-go) does not understand that my current shell is a AWS environment with an assumed role.