awsudo + aws-agent

awsudo enables users to execute commands that make API calls to AWS under the security context of an IAM role. The IAM role is assumed only upon successful authentication against a SAML compliant federation service.

aws-agent enables users to authenticate against a SAML compliant federation service once, after which aws-agent provides temporary credentials to awsudo to use.

awsudo {role-name | role-arn} command
 
aws-agent

• UNIX, UNIX-like or GNU/Linux operating system
• SAML compliant federation service
• ruby 2.1 or above
• rubygems: aws-sdk, nokogiri

  sudo gem install awsudo

awsudo and aws-agent expect a configuration file named .awsudo in your home directory containing the values for your identity provider login url and the SAML provider name configured in AWS.

Example for AD FS:

IDP = adfs
IDP_LOGIN_URL = https://sts.example.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
SAML_PROVIDER_NAME = adfs

Example for Okta:

IDP = okta
IDP_LOGIN_URL = https://example.okta.com/app/example/abc123/sso/saml
SAML_PROVIDER_NAME = okta
API_ENDPOINT = https://example.okta.com/api/v1

In addition to .awsudo, you can create .aws-roles in your home directory to map IAM roles ARNs to more easy to remember alias names, one per line, separated by spaces. Example:

myaccount-admin  arn:aws:iam::123456789012:role/myaccount-admin

$ awsudo arn:aws:iam::123456789012:role/myaccount-admin aws ec2 describe-tags --region us-west-2
 
$ awsudo myaccount-admin aws ec2 describe-instances --region us-east-1

awsudo will ask your federated credentials every time. To avoid this use aws-agent as follows:

$ aws-agent
Login: username
Password:
AWS_AUTH_SOCK=/var/folders/xz/lx178g0d0rb36x95446zwgd80000gp/T/aws-20150623-20990-58v1c4/agent; export AWS_AUTH_SOCK;

then execute the commands printed by aws-agent. awsudo will now ask for temporary credentials to aws-agent.

Gerardo Santana Gomez Garrido

• Matthew Wygant
• Ivan Zenteno
• David Hannon