Awsume

We use AWS at work… I mean, who doesn’t these days? I have learned to like it, despite the myriad of flaws and frustration it comes with.

The context

The way we’re set up is simple: an account for each project/environment, with a central account used as a bastion. As such, you could end up with this type of architecture:

AWS Bastion account
 |-- Management account
 |-- Security account
 |-- Production account
 |-- Development account
 |-- Infrastructure account 
 |-- Public account
 |-- etc...

All users have access to the bastion and, from there, they assume the relevant role that gives them the right accesses, in the account required.

aws sts assume-role --role-arn "arn:aws:iam:123456789012:role/example-role" --role-session-name example-cli-session

Neat, right?

The problem

WRONG! I mean, yes, in theory, wonderful; segregation of accounts, accesses, resources… A Sysadmin’s dream! Until you realise the limitations: role chaining only allows sessions of max 1 hour:

Note: Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour and can’t be increased.

The other inconvenience is having to input your MFA in every 60 minutes. Surely your devs have given out about this already!

Nightmare!

The solution

In comes: AWSume: a convenient way to manage session tokens and assume role credentials.

Quick examples from their own site:

awsume

Examples

The concept is simple:

awsume <profile_name>

First login of the day:

$: awsume prod
Enter MFA token: ******
Session token will expire at 2022-11-05 01:37:55
[prod] Role credentials will expire 2022-11-04 14:37:55

If you need to switch roles:

awsume dev
Session token will expire at 2022-11-05 01:37:55
[dev] Role credentials will expire 2022-11-04 14:39:18

😯 Notice how the MFA was not asked this time?

Features

Installation

For detailed instructions, click here.

Installation:

pip install awsume