You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, all. I've been a lurker for a while but I just thought of a use case that would give me a compelling reason to switch to using granted from my current janky custom setup.
Does granted have some sort of "sudo" capability for AWS profiles?
By default I set my CLI to the "read-only" profile for the account I work in.
Maybe 1 command in 100 actually needs to modify something in the account.
Guess which command fails with "access denied" before I realize I have to use the "admin" profile!
To switch to the admin profile I need to set its whole explicit name in the command or in the script, which is more typing and perhaps makes the commands less reusable across accounts.
Obviously typing sudo aws doesn't work, but maybe granted would define a command such as sudoaws or similar that would call the aws command with the correct elevated privilege for the context.
I love this idea. At the moment we don’t do this, but would love ideas from everyone as to how this could work. The use case here is introducing “sudo” functionality into Granted, to elevate into an admin profile for a particular AWS command: granted sudo aws s3 rm <object>
As you’ve mentioned, Granted would need to know about the default and elevated role for an account. Perhaps we could do this with an attribute on the profile:
When you run assume, you’d just see account-a appear, and if you run assume account-a, you get the default profile for that account (account-a/default). The default role should be something like ViewOnlyAccess, which would mean a command like aws s3 rm for example wouldn’t work.
If you want to use the elevated role for an aws command, you could run granted sudo aws s3 rm , and Granted would swap your profile to the elevated one just for that command.
Reposting in the channel here for visibility, would anyone else be interested in this sort of functionality being built-in to Granted? Personally I’d use it myself for when I am working against prod accounts!
The text was updated successfully, but these errors were encountered:
Once I have refamiliarized myself with Granted's current features, I'll be able to provide more specific feedback on how I would expect a "sudo" feature to work.
From Slack
Context:
From Iain Elder
From @chrnorm
The text was updated successfully, but these errors were encountered: