granted icon indicating copy to clipboard operation
granted copied to clipboard

Published 20 hours ago verified publisher icon common-fate

assume without setting env vars

Open JohnPolansky opened this issue 1 year ago • 6 comments

First off love the tool, you've done some amazing stuff. However I did have a question, in my situation we have lots of AWS Accounts and the way I normally work is I do an aws sso login to get credentials setup which basically signs me in to all of the various accounts. But I don't set any AWS ENV VARs. This way I'm free to set everything on the CLI and easily switch between accounts for different commands.

Example:

AWS_PROFILE=abc-dev aws sts get-caller-identity
aws sts get-caller-identity --profile abc-dev

assume <account_name> basically sets all the AWS ENV VAR which for me is counter productive as I end up having to "remove" all the ENV VARs each time. Unless I'm troubleshooting something I don't normally want the AWS ENV hardcoded.

Is it possible I'm missing a feature is there an assume --noenv option so it performs the SSO LOGIN but then doesn't touch your session? Right now my best option is to open a new terminal do the assume there and then exit out of the terminal to my old one. It works be great to avoid those steps.

Thanks, again amazing work!

JohnPolansky avatar Aug 31 '23 21:08 JohnPolansky

I think you could mimic this with an alias workaround to incorporate assume --unset and restoring AWS_PROFILE only if desired. e.g:

alias assume-profile-only='assume;profile=${AWS_PROFILE};assume --unset;export AWS_PROFILE=$profile'

Then:

env | grep AWS | wc -l
       0

assume-profile-only
...

env | grep AWS
AWS_PROFILE=123456789012/my-role

aws sts get-caller-identity
...

You could omit the backup/restore of AWS_PROFILE to get zero env if desired, which it sounds like you want ... and could probably get creating with the alias name too.

javabrett avatar Sep 03 '23 03:09 javabrett

Its certainly a good option if the application doesn't support it. I've set that up but I think it would be great to have it built in unless I'm the only one doing something like this :) Thx for the suggestion

JohnPolansky avatar Sep 03 '23 14:09 JohnPolansky

@JohnPolansky Welcome to our community! Excited to hear that you like granted. You can use the credential process to use the native AWS CLI (with --profile flag). So you'd be able to run a command like this directly: aws sts get-caller-identity --profile my-profile. Hope this helps!

shwethaumashanker avatar Sep 07 '23 18:09 shwethaumashanker

Hrm.. I do appreciate the input here, but I still think the original ask is still valid.. adding --profile onto an AWS command does work, as you say, but we are still setting all the AWS ENV VARS when they are not always required, honestly in my case they are "never" required. The problem with setting these variables is that all programs can use them differently and make set precedence different. For example of the tool being used uses the AWS_ACCESS_KEY_ID ENV VAR as the higher priority then it will ignore other attempts to reset them via AWS_PROFILE or --profile. This could leave someone in a situation where they don't know for sure what is being set.

That is why i was suggesting a feature to "perform an SSO login" and not set ENV VARs would be useful that way it's lets the user assign things the way they want without the need to unset 7 different ENV vars after login.

JohnPolansky avatar Sep 08 '23 13:09 JohnPolansky

@JohnPolansky I think granted sso login is the command you're looking for!

First, set up your AWS profile to use the credential process:

- [profile my-profile]
- sso_account_id = <your-sso-account-id>
- sso_region = <your-sso-region>
- sso_role_name = <your-role-name>
- sso_start_url = <https://example.awsapps.com/start>

+ [profile my-profile]
+ granted_sso_account_id = <your-sso-account-id>
+ granted_sso_region = <your-sso-region>
+ granted_sso_role_name = <your-role-name>
+ granted_sso_start_url = <https://example.awsapps.com/start>
+ credential_process = granted credential-process --profile my-profile

Then, run granted sso login to log in. Currently you have to use it like this, where --sso-start-url and --sso-region are required flags:

granted sso login --sso-start-url https://example.awsapps.com/start --sso-region my-sso-aws-region

(perhaps we could make this a little more user-friendly by inferring the flags from your config file?)

Then, to assume a role in your terminal, rather than running assume, just export the AWS_PROFILE env var:

export AWS_PROFILE=abc-dev

Or you can override the profile on a per-command basis:

AWS_PROFILE=abc-dev aws sts get-caller-identity
aws sts get-caller-identity --profile abc-dev

You can still use assume -c to open a console into your web browser.

Typing export AWS_PROFILE=abc-dev is a little long and annoying though. Once https://github.com/common-fate/granted/issues/263 is resolved you'll be able to run assume abc-dev and the tool will only export AWS_PROFILE, not everything else. @Eddie023 has a draft PR up for that issue so hopefully it will ship in the next release!

chrnorm avatar Sep 08 '23 18:09 chrnorm

@chrnorm Thanks for the

granted sso login --sso-start-url https://example.awsapps.com/start --sso-region my-sso-aws-region

suggestion, this is pretty close to what I need but like you said having to include the sso-start-url is a bit inconvenient when you've already got it set in the ~/.aws/config I'd say having it assume your preset values would be a great addon.

Thanks!

JohnPolansky avatar Sep 08 '23 21:09 JohnPolansky