Security News
Follow-up and Clarification on Recent Malicious Ruby Gems Campaign
A clarification on our recent research investigating 60 malicious Ruby gems.
By Sarah Gooding - Aug 22, 2025
awsudo
awsudo + aws-agent
Overview
awsudo enables users to execute commands that make API calls to AWS under the security context of an IAM role. The IAM role is assumed only upon successful authentication against a SAML compliant federation service.
aws-agent enables users to authenticate against a SAML compliant federation service once, after which aws-agent provides temporary credentials to awsudo to use.
Synopsis
awsudo {role-name | role-arn} command
aws-agent
Requirements
- UNIX, UNIX-like or GNU/Linux operating system
- SAML compliant federation service
- ruby 2.1 or above
- rubygems: aws-sdk, nokogiri
Install
sudo gem install awsudo
Configuration
awsudo and aws-agent expect a configuration file named .awsudo in your home directory containing the values for your identity provider login url and the SAML provider name configured in AWS.
Example for AD FS:
IDP = adfs
IDP_LOGIN_URL = https://sts.example.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
SAML_PROVIDER_NAME = adfs
Example for Okta:
IDP = okta
IDP_LOGIN_URL = https://example.okta.com/app/example/abc123/sso/saml
SAML_PROVIDER_NAME = okta
API_ENDPOINT = https://example.okta.com/api/v1
In addition to .awsudo, you can create .aws-roles in your home directory to map IAM roles ARNs to more easy to remember alias names, one per line, separated by spaces. Example:
myaccount-admin arn:aws:iam::123456789012:role/myaccount-admin
Examples
awsudo
$ awsudo arn:aws:iam::123456789012:role/myaccount-admin aws ec2 describe-tags --region us-west-2
$ awsudo myaccount-admin aws ec2 describe-instances --region us-east-1
awsudo will ask your federated credentials every time. To avoid this use aws-agent as follows:
aws-agent
$ aws-agent
Login: username
Password:
AWS_AUTH_SOCK=/var/folders/xz/lx178g0d0rb36x95446zwgd80000gp/T/aws-20150623-20990-58v1c4/agent; export AWS_AUTH_SOCK;
then execute the commands printed by aws-agent. awsudo will now ask for temporary credentials to aws-agent.
Author
Contributors
FAQs
Unknown package
We found that awsudo demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 27 Apr 2017
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
ESLint Adds Support for Parallel Linting, Closing 10-Year-Old Feature Request
ESLint now supports parallel linting with a new --concurrency flag, delivering major speed gains and closing a 10-year-old feature request.
By Sarah Gooding - Aug 22, 2025
Research
/Security News
Malicious Go Module Disguised as SSH Brute Forcer Exfiltrates Credentials via Telegram
A malicious Go module posing as an SSH brute forcer exfiltrates stolen credentials to a Telegram bot controlled by a Russian-speaking threat actor.
By Kirill Boychenko - Aug 21, 2025