Awsume is a great tool that allows you to seamlessly switch between multiple AWS CLI profiles. You may utilize multiple CLI profiles to enforce principal of least privilege. The true strength of Awsume is its ability to streamline MFA. But before we get to advanced scenarios, let’s focus on getting up and running. I had a few issues getting Awsume running on Ubuntu, and I wanted to spare you the same pains that I had.
Ensure AWS CLI is Installed
Before utilizing Awsume, you’ll need to have the AWS CLI installed. You can find information on the CLI here. The Linux install guide is located here. Installation of the AWS CLI is straightforward and nonproblematic, so I won’t be covering it here. Just note that if you are on a clean Ubuntu install, you’ll need to have the curl package installed first. You can install curl by running the following command.
$ sudo apt install curl
Ensure Multiple Users in AWS Management Console
For this demonstration, I have created multiple users in IAM via the AWS Management Console. I have effectively called them user-1 and user-2 (creative, right?). For simplicity’s sake, the PowerUserAccess policy has been attached to both users and both have been granted programmatic access.
Adding Multiple Users to AWS
Attaching the PowerUserAccess Policy to the Users
I have access to both users’ access key IDs and secret access keys. We’ll use these to configure the AWS CLI in the next step.
Configure Multiple Users in AWS CLI
Using the access key IDs and secret access keys, I can configure multiple profiles in the CLI using the aws configure command. For user-1:
$ aws configure --profile user-1 AWS Access Key ID [None]: <omitted> AWS Secret AccessKey [None]: <omitted> Default region name [None]: us-east-2 Default output format [None]: json
And user-2 is nearly identical:
$ aws configure --profile user-2 AWS Access Key ID [None]: <omitted> AWS Secret AccessKey [None]: <omitted> Default region name [None]: us-east-2 Default output format [None]: json
The AWS CLI stores configuration information in two separate files under the .aws directory of the user’s home. The config file stores the preferences:
$ cat $HOME/.aws/config [profile user-1] region = us-east-2 output = json [profile user-2] region = us-east-2 output = json
The credentials file stores the access key IDs and secret access keys.
$ cat $HOME/.aws/credentials [user-1] aws_access_key_id = <omitted> aws_secret_access_key = <omitted> [user-2] aws_access_key_id = <omitted> aws_secret_access_key = <omitted>
Preparing the Environment for Awsume
You’ll need both Python 3 and PIP installed in order to utilize Awsume. Python3 comes standard on new versions of Ubuntu, but PIP doesn’t. You can ensure both the python3 and python3-pip packages are installed with the following command:
$ python3 -m pip --version
If this command fails, see the Python and PIP documents for information on installing those, respectively.
You’ll also need to ensure that git is installed. Git will be required in order to install pyenv. You can verify git is installed with the following command:
$ git --version
Next, we need to install pyenv. Execute the following command to download and execute the installer:
$ curl https://pyenv.run | bash
Now, you can utilize PIP to install the Awsume package.
$ python3 -m pip install awsume
The single most problematic part of awsume is aliasing. If your aliases aren’t set correctly, you will unabashedly bang your head against your desk for hours on end wondering why the CLI isn’t working correctly. Yes, this happened to me.
Add these lines to your .bashrc. This will setup your alias and add pyenv and Awsume to your PATH variable.
alias awsume='. $(pyenv which awsume)' export PATH="$HOME/.local/bin:$HOME/.pyenv/bin:$PATH" eval "$(pyenv init -)" eval "$(pyenv virtualenv-init -)"
Then run this command or restart your terminal for the changes to take effect.
$ exec $SHELL
Using Awsume to Switch Between User Profiles
Now that Awsume is installed and configured, you can use it to easily switch between your user profiles. To switch to user-1, simply type the following:
$ awsume user-1
Now, when running an AWS CLI command, it will execute under the context of that user:
Using Awsume to Switch to User-1
Likewise, we can switch to user-2 using the following command:
$ awsume user-2
Which reveals in the CLI that we are indeed using the new user:
Using Awsume to Switch to User-2
Conclusion
Awsume can be a fantastic tool for helping you in your AWS DevOps role. It allows you to easily switch between multiple users and roles. But it is equally scary, as well. In the next post, we’ll discuss a few options to help make CLI access more secure by enforcing MFA with Awsume.
