{"id":22574548,"url":"https://github.com/anvilsecure/awstracer","last_synced_at":"2026-01-07T10:33:06.687Z","repository":{"id":50157140,"uuid":"257022385","full_name":"anvilsecure/awstracer","owner":"anvilsecure","description":"AWS CLI Tracer - trace and replay sequences of aws cli commands","archived":false,"fork":false,"pushed_at":"2024-06-18T06:39:03.000Z","size":85,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-11T13:41:16.939Z","etag":null,"topics":["aws","awscli","botocore","cloud","python","python3","system-administration","tracing"],"latest_commit_sha":null,"homepage":"https://www.anvilsecure.com","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anvilsecure.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-04-19T14:36:56.000Z","updated_at":"2024-06-18T06:39:04.000Z","dependencies_parsed_at":"2023-12-26T08:46:02.041Z","dependency_job_id":"385642cb-5d6f-48c1-8b18-cdc70cfce085","html_url":"https://github.com/anvilsecure/awstracer","commit_stats":{"total_commits":53,"total_committers":3,"mean_commits":"17.666666666666668","dds":"0.13207547169811318","last_synced_commit":"c99ba76ffe61e14b585600c30283a927cc0e6a84"},"previous_names":["anvilventures/awstracer"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anvilsecure%2Fawstracer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anvilsecure%2Fawstracer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anvilsecure%2Fawstracer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anvilsecure%2Fawstracer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anvilsecure","download_url":"https://codeload.github.com/anvilsecure/awstracer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246093099,"owners_count":20722395,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","awscli","botocore","cloud","python","python3","system-administration","tracing"],"created_at":"2024-12-08T03:06:55.477Z","updated_at":"2026-01-07T10:33:06.625Z","avatar_url":"https://github.com/anvilsecure.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS CLI Tracer\n\n*\"A poor man's Cloud Formation utility\" --me*\n\n![Example Terminal Session](/termsession_example.svg?raw=true\u0026sanitize=true)\n\n# Introduction\n\n**awstracer** consists of two small utitilities which hook into the `aws` command-line interface internal event mechanism. Using it you can record a sequence of `aws` commands to a trace-file. The player will allow you to replay that sequence of commands under for example a different configured AWS profile or against a different AWS region. Think of it as a set of poor man's Cloud Formation utilities. It's useful for when you have to re-run a set of commands or quickly test a bunch of things without having to switch back to the console the entire time. And it's also a whole lot quicker than having to write your own `awscli` and `botocore` logic.\n\nUnder normal circumstances these utilities would barely be more useful than using a simple shell-script which wraps around `aws` commands. However, the player features some logic that allows it to derive relationships between subsequent calls. This way it can automatically determine that the return value of one command should be supplied to the next request. Think for example of using a command which creates a resource and returns an ARN and the next command then using that specific ARN again. The player has the ability to do a dry run of the sequence of commands in the trace file. It will then colorize the output and highlight the replaced variables to show where the substitutions in a sequence of requests will appear.\n\n\n## Limitations\nVery complex traces with a set of similar commands might end up yielding unpredictable results. If one for example does an `aws iam create-user` call twice then the second call's parameters will be automatically substituted for the ones of the first one. To inspect what would happen it's advisable to look at the output of a dryrun first. The examples below should make clearer what appropriate use-cases are and how one can use `awstracer`. \n\n\n# Installation\n\nPlease note that this tool requires at least Python `\u003e= 3.6`. To install from source simply clone the repository and run:\n\n```\n$ python3 setup.py sdist\n$ pip3 install dist/awstracer-\u003cversion\u003e.tar.gz\n```\n\n\n# Usage\nFirst run `awstrace-rec` to run a recording of aws commands. There is the ability, enabled via a command-line switch, to also support arbitrary shell commands. These will _NOT_ be replayed or even captured in the trace. However this can be useful when you want to make sure a call to AWS IAM for example has settled. You can then execute for example a sleep command before executing the next call to `aws`.\n\nAfter the trace has been recorded you can replay it with `awstrace-play`. There are several switches to enable debugging, force a continuation of a trace execution when one intermediate command fails and so on. For more information simply run `awstrace-play -h`. To replay a trace against a different region or profile simply use the `--profile` or `--region` switches.\n\nPlease note that both `awstrace-play` and `awstrace-rec` are very light wrappers around the standard aws cli. This means that it will automatically import your profiles from `~/.aws/credentials` or load IAM access keys from the environment. From that perspective everything works exactly like usual.\n\nOverriding request parameters can be done via `-p` or `--param`. Request parameters tend to be similarly cased to how the `aws cli` styles them. That means that even if the request and response use for example `UserName` you specify it on the commandline with `--user-name`. For `awstrace-play` that means you would use something like `-p user-name test-user` to override the value in the trace.\n\n\n## Usage Example 1: Creating a DynamoDB table and adding data to it\n\nThis is the example that can also be seen in the recorded terminal session above. Let's create a tracefile that creates a DynamoDB table named `Music` and inserts a song in the table. The commands are taken directly from the [Amazon DynamoDB Developer Guide](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/getting-started-step-1.html). This looks something like this. Please note that the output is truncated.\n\n```\n$ awstrace-rec --trace-file create_table.trace\n(rec) aws dynamodb create-table \\\n\u003e     --table-name Music \\\n\u003e     --attribute-definitions \\\n\u003e         AttributeName=Artist,AttributeType=S \\\n\u003e         AttributeName=SongTitle,AttributeType=S \\\n\u003e     --key-schema \\\n\u003e         AttributeName=Artist,KeyType=HASH \\\n\u003e         AttributeName=SongTitle,KeyType=RANGE \\\n\u003e --provisioned-throughput \\\n\u003e         ReadCapacityUnits=10,WriteCapacityUnits=5\n[...]\nAdd command to trace cache? [y/N]: y\n(rec) aws dynamodb put-item \\\n\u003e --table-name Music  \\\n\u003e --item \\\n\u003e     '{\"Artist\": {\"S\": \"No One You Know\"}, \"SongTitle\": {\"S\": \"Call Me Today\"}, \"AlbumTitle\": {\"S\": \"Somewhat Famous\"}, \"Awards\": {\"N\": \"1\"}}'\nAdd command to trace cache? [y/N]: y\n(rec)\nSave cached trace to create_table.trace? [y/N]: y\n```\n\nNow we can simply replay our trace. If we play it we get the following error as the table already exists:\n\n```\n$ awstrace-play --trace-file create_table.trace\n(play) aws dynamodb create-table --attribute-definitions '[{\"AttributeName\": \"Artist\", \"AttributeType\": \"S\"}, {\"AttributeName\": \"SongTitle\", \"AttributeType\": \"S\"}]' --key-schema '[{\"AttributeName\": \"Artist\", \"KeyType\": \"HASH\"}, {\"AttributeName\": \"SongTitle\", \"KeyType\": \"RANGE\"}]' --provisioned-throughput '{\"ReadCapacityUnits\": 10, \"WriteCapacityUnits\": 5}' --table-name Music\n\nAn error occurred (ResourceInUseException) when calling the CreateTable operation: Table already exists: Music\n```\n\nWe can immediately run the trace against a different region, profile or endpoint. To do so we simply use the `--region`, `--profile` or `--endpoint` parameters similarly to how this works with the AWS CLI. For example to run the same trace under the `admin-profile` against the endpoint `https://beta-service-url.com` we can do the following:\n\n```\n$ awstrace-play --trace-file create_table.trace --profile admin-profile --endpoint https://beta-service-url.com\n```\n\nThe player has the ability to automatically derive relationships between subsequent commands. This means that we have the ability to override a parameter inside a trace file without having to edit the trace file or edit any of the commands themselves. For example if we want to create a table with a different name but still want to get the data inserted to that new table we simply do this:\n\n```\n$ awstrace-play --trace-file create_table.trace -p table-name test-table\n[...]\n$ aws dynamodb list-tables\n{\n    \"TableNames\": [\n        \"Music\",\n        \"test-table\",\n    ]\n}\n```\n\nWe can see that `test-table` was created. To check if the data actually got inserted we can use the following to see if we can get an item returned from the table. If that works it means the player did its job correctly and it replayed the trace with the overridden parameters properly.\n\n```\n$ aws dynamodb get-item --consistent-read --table-name test-table --key '{ \"Artist\": {\"S\": \"No One You Know\"}, \"SongTitle\": {\"S\": \"Call Me Today\"}}\n{\n    \"Item\": {\n        \"AlbumTitle\": {\n            \"S\": \"Somewhat Famous\"\n        },\n        \"Awards\": {\n            \"N\": \"1\"\n        },\n        \"Artist\": {\n            \"S\": \"No One You Know\"\n        },\n        \"SongTitle\": {\n            \"S\": \"Call Me Today\"\n        }\n    }\n}\n```\n\n## Usage Example 2: Creating AWS users and policies\n\nWe start a recording session. First we create user `test-user1`. We then create a policy from `file://policy.json` named `test-policy1` and subsequently attach the policy to the user.\n\n```\n$ awstrace-rec --trace-file create_user.trace\n(rec) aws iam create-user --user-name test-user-1\n[...]\n(rec) aws iam create-policy --policy-name test-policy-1 --policy-document file://policy.json\n{\n    \"Policy\": {\n    [...]\n        \"Arn\": \"arn:aws:iam::111111111111:policy/policy1\",\n    [...]\n    }\n}\n(rec) aws iam attach-user-policy --user-name test-user-1 --policy-arn arn:aws:iam::111111111111:policy/policy1\n[...]\naws iam list-attached-user-policies --user-name test-user-1\n{\n    \"AttachedPolicies\": [\n        {\n            \"PolicyName\": \"policy1\",\n            \"PolicyArn\": \"arn:aws:iam::111111111111:policy/policy1\"\n        }\n    ]\n}\n```\n\nTo now create a different user with a different policy all we have to do is edit the `policy.json` file and then rerun the trace.\nWe can do a dry-run first by specifying `--dryrun` to see if the appropiate relations between the traces has been properly derived.\nThis will look something like this:\n\n```\n$ awstrace-play --trace-file create-user.trace -p user-name tu -p policy-name tp policy-document file://policy.json --dryrun\n(play) aws iam create-user --user-name tu\n(play) aws iam create-policy --policy-document file://policy.json --policy-name tp\n(play) aws iam attach-user-policy --policy-arn arn:aws:iam::111111111111:policy/tp --user-name tu\n(play) aws iam list-attached-user-policies --user-name tu\n```\n\nIf we now run it without the `--dryrun` option we will ultimately see the output of the last request which was the call to `list-attached-user-policies`.\n\n```\n$ awstrace-play --trace-file create-user.trace -p user-name tu -p policy-name tp -p policy-document file://policy.json\n[...]\n(play) aws iam list-attached-user-policies --user-name tu\n{\n    \"AttachedPolicies\": [\n        {\n            \"PolicyName\": \"tp\",\n            \"PolicyArn\": \"arn:aws:iam::111111111111:policy/tp\"\n        }\n    ]\n}\n[...]\n```\n\n\n# Bugs, comments, suggestions\n\nShoot in a pull-request via github, post an issue in the issue tracker or simply shoot an email to *gvb@anvilsecure.com*.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanvilsecure%2Fawstracer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanvilsecure%2Fawstracer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanvilsecure%2Fawstracer/lists"}