$ bash <(curl https://raw.githubusercontent.com/makethunder/awsudo/master/install)For a somewhat more broad introduction to what can be accomplished, read on...
Install it:
$ pip install --user git+https://github.com/makethunder/awsudo.gitThe --user option asks pip to install to your home directory, so you might
need to add that to $PATH:
$ echo 'export PATH="$(python -m site --user-base)/bin:${PATH}"' >> ~/.bashrc
$ source ~/.bashrcConfigure aws if you haven't already, substituting your own credentials and
preferences:
$ aws configure
AWS Access Key ID [None]: AKIAIXAKX3ABKZACKEDN
AWS Secret Access Key [None]: rkCLOMJMx2DbGoGySIETU8aRFfjGxgJAzDJ6Zt+3
Default region name [None]: us-east-1
Default output format [None]: tableNow you have a basic configuration in ~/.aws/. Some tools will read this
configuration, but for less enlightened tools that only read from
environment variables, you can invoke them with awsudo:
$ awsudo env | grep AWS
AWS_ACCESS_KEY_ID=AKIAIXAKX3ABKZACKEDN
AWS_DEFAULT_REGION=us-east-1
AWS_SECRET_ACCESS_KEY=rkCLOMJMx2DbGoGySIETU8aRFfjGxgJAzDJ6Zt+3It's been a while, and you want to rotate your API keys according to best practices. Or maybe you were doing a presentation and accidentally flashed your credentials to the audience. Oops! Just one command rotates your keys and updates your configuration:
$ awsrotateIf you want to rotate your key every day at 5:26 AM automatically, you might
ask cron to run awsrotate for you, like
so:
$ (crontab -l; echo "26 05 * * * $(which awsrotate)") | crontab -Maybe you have separate development and production accounts, and you need to
assume a role to use them? You might a section like this to ~/.aws/config
for each account, substituting your own account number and role name:
[profile development]
role_arn = arn:aws:iam::123456789012:role/development
source_profile = default
region = us-east-1
Now you can use the -u PROFILE_NAME option to have awsudo assume that role,
and put those temporary credentials in the environment:
$ awsudo -u development env | grep AWS
AWS_ACCESS_KEY_ID=AKIAIXAKX3ABKZACKEDN
AWS_DEFAULT_REGION=us-east-1
AWS_SECRET_ACCESS_KEY=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
AWS_SESSION_TOKEN=AQoDYXdzEBcaoAKIYnZ67+8/BzPkkpbpR3yfv9bAQoDYXdzEBcaoAKIYnZ67+8/BzPkkpbpR3yfv9b
AWS_DEFAULT_REGION=us-east-1Maybe assuming that role requires MFA? Just add that to the configuration and
awsudo will prompt you for your MFA code when necessary. Example:
[profile development]
role_arn = arn:aws:iam::123456789012:role/development
source_profile = default
region = us-east-1
mfa_serial = arn:aws:iam::98765432100:mfa/phil.frost
The mfa_serial option should correspond to an MFA device in the account
referenced by source_profile.
Many more configurations are possible. See the AWS CLI guide for more detail.
awsudo uses the same code as aws to find and resolve credentials and so
works identically.