Skip to main content

generates credentials to impersonate IAM Roles

Project description

NAME

iam-sudo - get credentials of a real or simulated IAM role

Usage

Usage: iam-sudo assume [OPTIONS] [CMD]...

Options:
--role-name NAME   to assume  [required]
--profile PROFILE  to save the credentials under

Usage: iam-sudo simulate [OPTIONS] [CMD]...

Options:
  --role-name NAME       to simulate  [required]
  --principal PRINCIPAL  of the simulated role
  --base-role NAME       to assume to simulate the role
  --remote / --local     invoke lambda, default --remote
  --profile PROFILE      to save the credentials under

DESCRIPTION

iam-sudo supports the assume and the simulate commands.

assume command

this command will assume the specified role and return the credentials.

If a profile is specified, the credentials will be stored in ~/.aws/credentials.

If a command is specified, it will be executed with the obtained credentials. This is done by setting the environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN.

simulate command

iam-sudo simulate will read the attached policies and inline policies of the specified role-name. These policies will be used to create the session policy. The base-role is the role that will be assumed combined with the session policy, to mimic the specified role.

role-name is a substring of the role to assume. This is to make it easier to assume a role that was created by AWS CloudFormation. For instance, both TaskRoles and my-stack-TaskRole may resolve to the role my-stack-TaskRole-9AO01PCC7I0T.

If multiple matching roles are found, an error is returned. You may also specify the principal to reduce the number of matching roles: for instance --principal Service:ecs-tasks.amazonaws.com.

If a profile is specified, the credentials will be stored in ~/.aws/credentials.

If a command is specified, it will be executed with the obtained credentials. This is done by setting the environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN.

The remote flag wil invoke the iam-sudo Lambda function to generate credentials. This remote option, is required to really give users sudo-like permissions which exceeds their own. Without the remote flag, the user will not be able to get more permissions, than granted to him/her.

Sudo simulated Policy

To limit the roles which can be simulated, a policy can be specified. The following snippet shows the default sudo policy:

allowed-role-names:
  - "*"
allowed-principals:
  - "*" : "*"
allowed-base-roles:
  - "arn:aws:iam::*:role/*"

The following table shows a short description of the fields.

field description
allowed-role-names a list of glob patterns specifying allowed role names
allowed-principals a list of glob patterns specifying principal type and identity
allowed-base-role a list of glob patterns specifying allowed base roles

The default client policy is to allow all role names, all principals and all base roles to be specified.

The following policy, restricts requests to any AWS ECS task role and the base role to the IAmSudoUser.

allowed-role-names:
  - "*"
allowed-principals:
  - "Service" : "ecs-tasks.amazonaws.com"
allowed-base-roles:
  - "arn:aws:iam::123456789012:role/IAMSudoUser"

installation

The installation comes in two parts: the client and the server.

To install the client, type:

pip install iam-sudo

To install the server, type:

aws cloudformation create-stack \
     --stack-name iam-sudo \
    --template-url  https://binxio-public-eu-central-1.s3.amazonaws.com/lambdas/iam-sudo-0.2.0.yaml \
    --capabilities CAPABILITY_NAMED_IAM
aws cloudformation wait stack-create-complete --stack-name iam-sudo

Alternatively, you can create the stack via the AWS console.

To allow users to use the remote function, they should be granted permission to invoke the created Lambda function iam-sudo.

ENVIRONMENT VARIABLES

The iam-sudo simulate allows following environment variables to be set:

name description
IAM_SUDO_BASE_ROLE The role to assume over which the session policies are added, default IAMSudoUser
IAM_SUDO_POLICY The policy which governs which roles can be assumed, default any

The lambda function requires you to set both.

Read the blog How to assume an ECS task role in AWS, the official and the fake way.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

iam-sudo-0.2.0.tar.gz (11.4 kB view details)

Uploaded Source

File details

Details for the file iam-sudo-0.2.0.tar.gz.

File metadata

  • Download URL: iam-sudo-0.2.0.tar.gz
  • Upload date:
  • Size: 11.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.3.0 pkginfo/1.7.0 requests/2.25.1 setuptools/50.3.2 requests-toolbelt/0.9.1 tqdm/4.56.0 CPython/3.7.9

File hashes

Hashes for iam-sudo-0.2.0.tar.gz
Algorithm Hash digest
SHA256 103391bce862c288b4227260fa27fbc6efc87a67246c8bd3d2a4e84f864b099e
MD5 0933f7527c1d2c7afef30fe318483de3
BLAKE2b-256 421a49e00c2ade1a4d3ef4f78de5be1bb43d9948b4f47075a84fdc248adc3794

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page