Based on the work of varunkashyap and the great awsume I build this switching tool and decided not to implement AWS-SSO, but let other tools deal with that.
The idea is to create my own simple context switching tool, wich switches the aws profile and does other things.
You can absolutely use other tools and update switchawswrapper.sh to do other things
For eays of installation I choose GO, because it creates a single binary and does not need a certain python installation like awsume.
With the combination of
- switch
- a wrapper bash script
- timewarrior & taskwarrior
- leapp
- iterm2
You get an automated switch with the aws profile to:
- Start a time tracker for this project
- Switch to the project directory
- Set a badge in terminal
- populate AWS environment variables
- Open a project url
4 Populated AWS environment variables
env |grep AWS
AWS_DEFAULT_REGION=eu-central-1
AWS_ACCESS_KEY_ID=ASIA******B
AWS_SECRET_ACCESS_KEY=n******s
AWS_SESSION_TOKEN=IQoJ********AmCDxKA=
AWS_DEFAULT_PROFILE=letsbuild
AWS_REGION=eu-central-1The switch is done on two steps:
- Start session in leap
- call
switch profilename
With Leapp you can use AWS SSO, IAM credentials or cross account roles.
Leapp saves the credentials not unsafe as text on your filesystem, but in an encrypted vault.
cp -pr dist/switchaws /usr/local/bin/switchawsThis is the call if you build switch yourself.
Or use the precompiled binaries from the release.
cp switchawswrapper.sh /usr/local/binOr in an other directory which is in you $PATH.
alias switch='source /usr/local/bin/switchawswrapper.sh'Because environment variables from the calling process has to be set, this extra step is neccesary.
In this example I have a AWS-SSO integration called "ggadmin". Within this SSO login, there is a role "AWSPowerUserAccess". That session is calles "letsbuild" and uses the profile "default".
The other example has a direct ACCESS/SECRET authenticated AWS IAM user. This goes to the named profile "letsbuild".
Before starting a session with leapp, your credentials file is empty:
l ~/.aws/credentials
-rw-r--r-- 1 pparker staff 0 3 Mär 16:45 /Users/pparker/.aws/credentialsNo credentials saved in clear text!
l ~/.aws/credentials
-rw-r--r-- 1 pparker staff 835 3 Mär 16:48 /Users/pparker/.aws/credentialsNow only the started session is created in the credentials file.
If you use the "default" session, all cli and sdk commands would use the "letsbuild" credentials. With the named profile "letsbuild", you have to populate the AWS environment variables.
You may name the profiles whatever you want, "letsbuild" is just for this example.
Before:
After:
env |grep AWS
AWS_DEFAULT_REGION=eu-central-1
AWS_ACCESS_KEY_ID=ASIA******B
AWS_SECRET_ACCESS_KEY=n******s
AWS_SESSION_TOKEN=IQoJ********AmCDxKA=
AWSUME_PROFILE=letsbuild
AWS_DEFAULT_PROFILE=letsbuild
AWS_REGION=eu-central-1
With timewarrior and taskwarrior I have a complete cli based time tracking system:
If letsbuild is added as todo:
ID Active Age Project Tag Due Description Urg
27 58s letsbuild 0And the ID is configured in ~/.aws/config:
[profile letsbuild]
...
taskwarrior=27Taskwarrior Project
timew suWk Date Day Tags Start End Time Total
W9 2022-03-03 Thu letsbuild 16:55:46 - 0:01:45 7:10:48Example:
1 [profile letsbuild]
2 region=eu-central-1
3 workdir=/Users/peterp/letsbuild/lambdaproject
4 itermbadge=letsbuild
5 taskwarrior=27
6 url=/Users/peterp/letsbuild/lambdaproject/draw/fancydiagramm.drawioThe following entries in ~/.aws/configare parsed:
If current directory is outside workdir, then path is changed to workdir. If you are already inside workdir, path is not switched.
If you use iterm2 then the screen badge is set to this string
If you use taskwarrior, the task is started. So you can track to working time per project.
If url is set, then the url will be opened. If this is supported from you OS, not only websites but other apps are opened also.