Open venth opened 6 years ago
@yermulnik, so let me rephrase your use case. We have situation as follows:
When you use the command: aws-adfs login --role-name AwsomeRole ...
you want to be authenticated with this role in accounts:
@yermulnik, did I get you correctly?
@venth Yes, exactly.
Another consequent use case:
arn:aws:iam::11111111:role/ReadonlyRole
arn:aws:iam::22222222:role/SomeOtherRole
arn:aws:iam::33333333:role/AwsomeRole
arn:aws:iam::33333333:role/ReadonlyRole
arn:aws:iam::77777777:role/AwsomeRole
arn:aws:iam::55555555:role/AwsomeRole
And use aws-adfs login --role-name AwsomeRole --role-name SomeOtherRole ...
to be authenticated in accounts: 22222222, 33333333, 77777777, and 55555555. But this has to be elaborated for cases where AwsomeRole
and SomeOtherRole
are available in one account. But this case seems to be quite rare for vast majority of users so can be postponed or even ignored =)
There is an issue with the way how AWS SDK stores and reads authentication metadata. When a AWS session is authentication, the authentication metadata are stored within a specific profile, if it's provided, or the default one.
Authentication of multiple roles is feasible and required a separate aws profile per role. In other words, when you authenticate multiple roles, the last one will preserve because its metadata will overwrite previous ones.
I think that it's much easier to iterate through roles and perform actions with aws or in case of parallel execution use separate profiles.
Still I can create profile on the fly using a pattern like <role_name>-<account_id>
. It would be complicated and easy to forget all these profiles suddenly appeared.
Oh, I mentioned that in another issue, though not sure I did it with proper details: I'm using your tool (and it's a brilliant tool!) with some homemade patches of mine and all auth data is saved to profiles named after accounts aliases (separate profile for each account). My everyday duties involve working with multiple accounts in the same time-frame, so it's just a matter of convenience to have several active profiles in the same time and not the only one with a need to re-auth every time when I want to work with another account (not counting occasions when cross-account access is required).
Idea with <role_name>-<account_id>
is quite cool (I'd use account_alias
instead though) and I'll take it into account next time I get to updating my patches. Because sometimes (though really rarely) I need to be able to quick-switch between different roles in the same account.
But in either way I'd vote for ability to request the role by its name and not full arn (because most of the time user remembers the role name and not full arn, especially account id in it). And perhaps an additional cmdline parameter to save creds to named profiles so one can walk through bunch of accounts in batch and assume the role with the same name in all of accounts (if it's present and assumable).
Thanks for all the job you do to develop this tool!
Thanks for the explanation ;) I forgot to copy your reasoning from the former issue - #70. Let's sum up.
The goal of this change is to authenticate simultaneously multiple AWS Roles which share the same account id (role_arn: arn:aws:iam::<account-id>:role/<role-name>
). Each authenticated session metadata is stored in separate AWS profile. AWS Profile name is generated based on schema: <role_name>-<account_id>
.
Is it OK?
The main goal for me is to be able to authenticate simultaneously multiple AWS accounts which share the same Role name. To authenticate simultaneously multiple AWS Roles which share the same account id is pretty much secondary, rarely used, and I don't think would be popular for vast majority of users.
I personally would prefer profiles names to simply be the same as account alias: first element of list returned by iam:GetAccountAliases
API call.
Thank you
Forked from #70 How to user role-arn parameter?