Using awsudo for the first time

Recently at work there's been a new method introduced to further improve security. Instead of permissions assigned to a specific user or group, users are assigned permissions that allows them to assume specific roles. And so because of that I've been using this tool called awsudo. It's a simple tool that helps to assume roles in AWS.

Installation

Run this command to start the installation:

bash <(curl https://raw.githubusercontent.com/makethunder/awsudo/master/install)

Usage

The first time using aws CLI, we have to configure our credentials:

$ aws configure
AWS Access Key ID [None]: insert-your-access-key-id
AWS Secret Access Key [None]: insert-your-secret-access-key
Default region name [None]: ap-southeast-1
Default output format [None]: json

Now that we have our credentials configured, we can start using awsudo. I use it to switch between roles I have set up in ~/.aws/config, it looks like this:

[profile infra]
role_arn = arn:aws:iam::123456789012:role/infra
source_profile = default
region = ap-southeast-1
mfa_serial = arn:aws:iam::98765432100:mfa/evan

We can remove the last line if we don't use MFA to assume roles, but I recommend using MFA for an extra layer of security. Now we can start assuming roles that we have defined by running:

$ awsudo -u infra env | grep AWS
AWS_SESSION_TOKEN=AQoDYXdzEBcaoAKIYnZ67+8/BzPkkpbpR3yfv9bAQoDYXdzEBcaoAKIYnZ67+8/BzPkkpbpR3yfv9b
AWS_SECRET_ACCESS_KEY=rkCLOMJMx2DbGoGySIETU8aRFfjGxgJAzDJ6Zt+3
AWS_ACCESS_KEY_ID=AKIAIXAKX3ABKZACKEDN
AWS_DEFAULT_REGION=ap-southeast-1

The command outputs the credentials required to run things using aws CLI, but at this state we would still need to run it every time we want to invoke aws CLI. I made it simpler by exporting those credentials to the current bash session:

eval "$(sed 's/^/export /' <(awsudo -u infra env | grep AWS))"

Now we just need to run it once every time our credentials expired.