Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Introducing “sudo” functionality into Granted #612

Open
shwethaumashanker opened this issue Feb 23, 2024 · 1 comment
Open

Feature request: Introducing “sudo” functionality into Granted #612

shwethaumashanker opened this issue Feb 23, 2024 · 1 comment

Comments

@shwethaumashanker
Copy link
Contributor

From Slack

Context:
From Iain Elder

Hi, all. I've been a lurker for a while but I just thought of a use case that would give me a compelling reason to switch to using granted from my current janky custom setup.
Does granted have some sort of "sudo" capability for AWS profiles?
By default I set my CLI to the "read-only" profile for the account I work in.
Maybe 1 command in 100 actually needs to modify something in the account.
Guess which command fails with "access denied" before I realize I have to use the "admin" profile!
To switch to the admin profile I need to set its whole explicit name in the command or in the script, which is more typing and perhaps makes the commands less reusable across accounts.
Obviously typing sudo aws doesn't work, but maybe granted would define a command such as sudoaws or similar that would call the aws command with the correct elevated privilege for the context.

From @chrnorm

I love this idea. At the moment we don’t do this, but would love ideas from everyone as to how this could work. The use case here is introducing “sudo” functionality into Granted, to elevate into an admin profile for a particular AWS command:
granted sudo aws s3 rm <object>
As you’ve mentioned, Granted would need to know about the default and elevated role for an account. Perhaps we could do this with an attribute on the profile:

> [profile account-a/default] # profile naming convention doesn't matter
> ... regular profile config here
> granted_default_profile_for = account-a

> [profile account-a/sudo] # profile naming convention doesn't matter
> ... regular profile config here
> granted_sudo_profile_for = account-a

When you run assume, you’d just see account-a appear, and if you run assume account-a, you get the default profile for that account (account-a/default). The default role should be something like ViewOnlyAccess, which would mean a command like aws s3 rm for example wouldn’t work.
If you want to use the elevated role for an aws command, you could run granted sudo aws s3 rm , and Granted would swap your profile to the elevated one just for that command.
Reposting in the channel here for visibility, would anyone else be interested in this sort of functionality being built-in to Granted? Personally I’d use it myself for when I am working against prod accounts!
@iainelder
Copy link

Thank you @shwethaumashanker for tracking the feature idea.

Once I have refamiliarized myself with Granted's current features, I'll be able to provide more specific feedback on how I would expect a "sudo" feature to work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iainelder @shwethaumashanker