Auth Command

Astra's auth command allows you to manage your authentication with your cloud provider. Commonly you might want to perform some action on AWS using command line tooling or your terminal. Astra's auth command makes it easy to switch between roles, accounts, and regions.

The Astra auth command leverages the AWS CLI to authenticate you via AWS SSO. It is imperative that you have installed the AWS CLI and checked that Astra has permissions to use it via astra init.

The advantage of using AWS SSO is it allows Astra to be able to switch you quickly and easily to any role you have access to, enabling you to run command across accounts as you like. You will also only have to authenticate once per session which is by default 8 hours.

Let's go through an example

List all S3 buckets

Let's say for sake of example, you want to list your S3 buckets in production using the AWS CLI.

Normally, you would do this by typing:

aws s3 ls

However, you would encounter an error indicating that the AWS CLI lacks authentication information.

Astra to the rescue!

With Astra you can assume any AWS role you have access to by simply using the astra auth set command. This command will authenticate you via AWS CLI and set you up with a proper AWS profile at ~/.aws/config.

You can then utilize this profile as needed. Let's give it a try.

# By default if we don't give Astra a role to set, it assumes we want the 'read-only role'
~|⇒ astra auth set production
✓ Set role 'read_only' for account 'production' in region 'us-east-2'
✓ Auth Successful! Remember to run `export AWS_PROFILE=astra` to use the new auth profile outside of Astra.

Now let's run the AWS CLI command again. By default Astra just sets the profile up, but our terminal (and therefore aws cli) does not know which profile to use and defaults to one without authentication. So we'll include a flag to let it know to use the 'astra' profile.

~|⇒ aws s3 ls --profile=astra
2023-12-15 11:55:04 terraform-state-225951027938

✅ Success!

Can it be any easier?

Indeed, it can! If you prefer to run AWS CLI commands without constantly having to append `--profile=astra`` to everything, you could set your profile via environment variables instead:

~|⇒ export AWS_PROFILE=astra
~|⇒ aws s3 ls
2023-12-15 11:55:04 terraform-state-337451047959

But wait! There's more!

You can streamline the process with a single command by using your terminal's eval command.

🪧 The terminal eval command can be risky if you're unsure of its operation, so ensure its use is restricted to trusted contexts.

~|⇒ eval $(astra auth set production --eval)
~|⇒ aws s3 ls
2023-12-15 11:55:04 terraform-state-225951027938