I want to be able to assign a time-based api token to a non-admin AWS user that results in giving that user temporary admin privileges to all AWS services.
Why do I want this? Because when I develop on AWS on my personal account I like to be able to have admin access to every service, but I don't want to have a pair of cleartext undying admin credentials sitting in my .aws/credentials file. So I want to be able to assume an IAM role that will elevate a user to admin and use STS to assign a time-based API token.
At work we use federation via a SAML server so users are given time-based access no matter what role they have: dev, admin, etc, but I don't want to have to set all of that up just to have a time-based API token. I have read the AWS docs and discussed this in #aws and so far the response I have is to make an IAM trust policy that hard-codes a time end:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition" : {"DateLessThan": {"aws:CurrentTime" : "2017-10-30T00:00:00Z"}}
}
]
}
But I don't want to manually hardcode and update this policy every time and would rather use STS to assign a time-based API token. Any insight would be much appreciated.
.aws/credentials
? I'm assuming that you take reasonable security precautions (eg, encrypted disk, strong password to access your personal computer), and are not in the habit of storing your credentials in random places. To make temporary credentials more secure than permanent credentials you would need to authenticate in order to receive those credentials. Regular rotation of credentials may be sufficient. You do have 2FA enabled on your login, right? – kdgregory