search

trek10inc / awsume

A utility for easily assuming AWS IAM roles from the command line.
https://awsu.me
MIT License
488 stars 90 forks source link

Use "role_session_name" parameter inside "~/.aws/config" when switching roles #107

Closed eduardohki closed 3 years ago

eduardohki commented 4 years ago

Hello,

First of all, thank you very much for making AWSume!

I have a use-case which may be relevant to others: when using AWSume to switch roles to another account based on previous IAM User keys, I would like AWSume to make use of the role_session_name provided inside my ~/.aws/config file by default (if any).

This would be very relevant for Auditing purposes.

I have a use-case where every IAM User has to set its own email in the role_session_name field, so the user issuing AWS CLI and Terraform calls can be easily spotted in CloudTrail.

For example, in the following aws-cli configuration:

[profile my_iam_user]
region = eu-central-1
mfa_serial = arn:aws:iam::00000000000:mfa/my_iam_user

[profile my_iam_role_on_another_account]
region = eu-central-1
role_arn = arn:aws:iam::111111111111:role/Administrator
source_profile = my_iam_user
role_session_name = my@email.com

If I don't specify the flag --session-name every time I want to switch to another account's Role, AWSume will set the role_session_name as the name of the profile itself (e.g. my_iam_role_on_another_account, in this case):

$ awsume my_iam_role_on_another_account
$ aws sts get-caller-identity
{
  "UserId": "ASDF27V5K4EYKONUOHJKL:my_iam_role_on_another_account",
  "Account": "111111111111",
  "Arn": "arn:aws:iam::111111111111:role/Administrator/my_iam_role_on_another_account"
}

What I would like AWSume to do by default, is to use the role_session_name parameter by default, if no --session-name flag is set:

$ awsume my_iam_role_on_another_account
$ aws sts get-caller-identity
{
  "UserId": "ASDF27V5K4EYKONUOHJKL:my@email.com",
  "Account": "111111111111",
  "Arn": "arn:aws:iam::111111111111:role/Administrator/my@email.com"
}

Thank you!

eduardohki commented 4 years ago

Oh, I just saw https://github.com/trek10inc/awsume/issues/100

Feel free to close this one, if you deem so.

mbarneyjr commented 3 years ago

Closing in favor of #100

(this has been implemented, full update found in the first issue)