search

common-fate / granted

The easiest way to access your cloud.
https://granted.dev
MIT License
956 stars 90 forks source link

Feature request: Introducing “sudo” functionality into Granted #612

Open shwethaumashanker opened 4 months ago

shwethaumashanker commented 4 months ago

From Slack

Context: From Iain Elder

Hi, all. I've been a lurker for a while but I just thought of a use case that would give me a compelling reason to switch to using granted from my current janky custom setup. Does granted have some sort of "sudo" capability for AWS profiles? By default I set my CLI to the "read-only" profile for the account I work in. Maybe 1 command in 100 actually needs to modify something in the account. Guess which command fails with "access denied" before I realize I have to use the "admin" profile! To switch to the admin profile I need to set its whole explicit name in the command or in the script, which is more typing and perhaps makes the commands less reusable across accounts. Obviously typing sudo aws doesn't work, but maybe granted would define a command such as sudoaws or similar that would call the aws command with the correct elevated privilege for the context.

From @chrnorm

I love this idea. At the moment we don’t do this, but would love ideas from everyone as to how this could work. The use case here is introducing “sudo” functionality into Granted, to elevate into an admin profile for a particular AWS command: granted sudo aws s3 rm <object> As you’ve mentioned, Granted would need to know about the default and elevated role for an account. Perhaps we could do this with an attribute on the profile:

[profile account-a/default] # profile naming convention doesn't matter
... regular profile config here
granted_default_profile_for = account-a
[profile account-a/sudo] # profile naming convention doesn't matter
... regular profile config here
granted_sudo_profile_for = account-a

When you run assume, you’d just see account-a appear, and if you run assume account-a, you get the default profile for that account (account-a/default). The default role should be something like ViewOnlyAccess, which would mean a command like aws s3 rm for example wouldn’t work. If you want to use the elevated role for an aws command, you could run granted sudo aws s3 rm , and Granted would swap your profile to the elevated one just for that command. Reposting in the channel here for visibility, would anyone else be interested in this sort of functionality being built-in to Granted? Personally I’d use it myself for when I am working against prod accounts!

iainelder commented 4 months ago

Thank you @shwethaumashanker for tracking the feature idea.

Once I have refamiliarized myself with Granted's current features, I'll be able to provide more specific feedback on how I would expect a "sudo" feature to work.

  • © Githubissues.
  • Githubissues is a development platform for aggregating issues.