search

trek10inc / awsume

A utility for easily assuming AWS IAM roles from the command line.
https://awsu.me
MIT License
494 stars 90 forks source link

"aws --profile" does not work #61

Closed pputnik closed 4 years ago

pputnik commented 5 years ago

Hello,

I know we can switch profiles with awsume profile_name but in scripts we want to be able to use old good aws --profile profile_name command_name too because we're working with more than one account within the same script.

.aws/config:
[default]
region = eu-west-1
output = json
mfa_serial = arn:aws:iam::111111111:mfa/username

[profile secondary]
role_arn = arn:aws:iam::222222222222:role/rolename
aws_account_id = 222222222222
region = eu-west-1
output = json
source_profile = default

# awsume
Enter MFA token: 825229
AWSume: User profile credentials will expire at: 2019-08-01 20:10:44

# aws sts get-caller-identity
{
    "UserId": "AIDAR355SJBCL57WUCIW3",
    "Account": "111111111",
    "Arn": "arn:aws:iam::111111111:user/username"
}

# awsume secondary
AWSume: User profile credentials will expire at: 2019-08-01 20:10:44
AWSume: Role profile credentials will expire at: 2019-08-01 09:11:33

# aws sts get-caller-identity
{
    "UserId": "AROASJBNLJ5FKMQGYZIFP:awsume-session-secondary",
    "Account": "222222222222",
    "Arn": "arn:aws:sts::222222222222:assumed-role/rolename/awsume-session-secondary"
}

# awsume
AWSume: User profile credentials will expire at: 2019-08-01 20:10:44

# aws --profile secondary sts get-caller-identity
An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

Is there a workaround? Using awsume profilename in script is a bit awkwardly and I'm afraid we'll have a mess with aws-related system variables.

Thank you.

pputnik commented 5 years ago

Update: awsume profilename in scripts just doesn't work:

+ awsume secondary
AWSume: User profile credentials will expire at: 2019-08-01 20:10:44
AWSume: Role profile credentials will expire at: 2019-08-01 15:01:32
+ aws sts get-caller-identity
{
    "UserId": "AIDAR355SJBCL57WUCIW3",
    "Account": "111111111",
    "Arn": "arn:aws:iam::111111111:user/username"
}

and

+ awsume secondary
AWSume: User profile credentials will expire at: 2019-08-01 20:10:44
AWSume: Role profile credentials will expire at: 2019-08-01 15:03:47
+ aws --profile secondary sts get-caller-identity

An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

Please help.

mbarneyjr commented 5 years ago

I believe the problem stems from the fact that aliases are not expanded for non-interactive shells in bash (see https://unix.stackexchange.com/questions/1496/why-doesnt-my-bash-script-recognize-aliases). Since the alias simply sources the shell script, you can just do something like this in your scripts:

source awsume <profile_name>

or:

. awsume <profile_name>
mbarneyjr commented 4 years ago

Closing for inactivity. Feel free to open an issue if you're still experiencing issues