awsudo enables users to execute commands that make API calls to AWS under the security context of an IAM role. The IAM role is assumed only upon successful authentication against a SAML compliant federation service.
aws-agent enables users to authenticate against a SAML compliant federation service once, after which aws-agent provides temporary credentials to awsudo to use.
awsudo {role-name | role-arn} command
aws-agent
- UNIX, UNIX-like or GNU/Linux operating system
- SAML compliant federation service
- ruby 2.1 or above
- rubygems: aws-sdk, nokogiri
sudo gem install awsudo
awsudo and aws-agent expect a configuration file named .awsudo in your home directory containing the values for your identity provider login url and the SAML provider name configured in AWS.
Example for AD FS:
IDP = adfs
IDP_LOGIN_URL = https://sts.example.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
SAML_PROVIDER_NAME = adfs
Example for Okta:
IDP = okta
IDP_LOGIN_URL = https://example.okta.com/app/example/abc123/sso/saml
SAML_PROVIDER_NAME = okta
API_ENDPOINT = https://example.okta.com/api/v1
In addition to .awsudo, you can create .aws-roles in your home directory to map IAM roles ARNs to more easy to remember alias names, one per line, separated by spaces. Example:
myaccount-admin arn:aws:iam::123456789012:role/myaccount-admin
$ awsudo arn:aws:iam::123456789012:role/myaccount-admin aws ec2 describe-tags --region us-west-2
$ awsudo myaccount-admin aws ec2 describe-instances --region us-east-1
awsudo will ask your federated credentials every time. To avoid this use aws-agent as follows:
$ aws-agent
Login: username
Password:
AWS_AUTH_SOCK=/var/folders/xz/lx178g0d0rb36x95446zwgd80000gp/T/aws-20150623-20990-58v1c4/agent; export AWS_AUTH_SOCK;
then execute the commands printed by aws-agent. awsudo will now ask for temporary credentials to aws-agent.