skyzyx
commented
1 year ago IMO, AWS Vault already solves this masterfully.
Open elyscape opened 1 year ago
skyzyx
commented
1 year ago @elyscape said:
Only the AWS CLI is supported, not the SDKs.
I guess I don't understand. The AWS CLI is built atop the Python SDK, and all SDKs implement the same auth logic (source: I was a founding member of the SDK/CLI team at AWS).
Oh, wait — do you mean because it maps to aws? Yeah. IMO, mapping the commands to a specific binary is a premature optimization in 1P's implementation.
Volatus
commented
1 year ago IMO, AWS Vault already solves this masterfully.
Right but I think the idea is to be able to store credentials in 1P and not separate them, which you'd have to do if you used AWS Vault.
skyzyx
commented
1 year ago I manage over 180 AWS accounts.
If you have one or two accounts configured as IAM users with a key and secret, it's not that bad.
AWS Vault integrates with AWS SSO, integrates with all AWS SDKs and CLI using the native ~/.aws directory, and generates session credentials automatically — which are all best practices for using AWS at scale.
Platform or tool
AWS
Desired or expected behavior
The AWS CLI and SDKs have the ability to read credentials from an external process over stdin if the user sets
credential_processin the config file. It would be nice ifopsupported this functionality for AWS and, more broadly, had the ability to support this kind of functionality for other tools.Current behavior
The AWS plugin invokes
awsafter setting environment variablesAWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY, and potentiallyAWS_SESSION_TOKENandAWS_DEFAULT_REGION.Further discussion
The current approach works fine, but it does mean that:
awsand may be read by (for example) EDR software.awscan't easily make use of this functionality.By adding the ability to act as a
credential_processfor AWS specifically, and more generally supporting this kind of mechanism for other tools, these issues can all be fairly simply resolved.op CLI version
6.13.1