search

common-fate / granted

The easiest way to access your cloud.
https://granted.dev
MIT License
964 stars 91 forks source link

Assume another role after assuming a profile #506

Closed sosheskaz closed 8 months ago

sosheskaz commented 9 months ago

In some edge cases, we may have roles which an individual has access to, but which we do not have a pre-configured profile for.

It would be useful, then, to have the ability to have Granted assume a role using the profile we give it.

Example use-case: for testing purposes, e.g. if you want to assume a newly-created role to manually act in its stead to test permissions before handing it to an application.

The implementation could look something like:

assume my-base-profile --chain-assume-role arn:aws:iam::012345678901:role/my-role

Which would then

ndemeshchenko commented 9 months ago

+1, desperately need this feature

moltar commented 9 months ago

You can achieve something similar to this, without CLI though, by adding the profile to your ~/.aws/config, like so:

[profile your-other-manually-defined-profile]
source_profile    = Foo/Bar/AdministratorAccess ; granted-managed profile name
role_arn          = arn:aws:...::..:role/... ; the role you want to assume

Then you can still use granted and just select this profile from the list, and it all Just Works.

Of course, it's not as ideal as having the flexibility to assume any role, as every role needs to be added to the config manually.

moltar commented 9 months ago

Perhaps, an interesting story here would be to also allow the end-user to select from a list of roles, like AWS profiles, with a fuzzy search.

As an option, perhaps, can filter roles by a specific tag (e.g.granted=true), to avoid having a huge list of roles to sift through.

moltar commented 8 months ago

Thanks @JoshuaWilkes! I can confirm that your PR fixes this issue! 👍🏼