Open jimsmith opened 1 year ago
Hi @jimsmith thanks for the feature request. Since environment variables affect other AWS SDKs in addition to the CLI, I'm going to transfer this issue to our cross-SDK repository for tracking. I'll also link a related feature request here from the Java repository: https://github.com/aws/aws-sdk-java/issues/2756. I believe the requests in these two issues is similar but if you want to confirm that or clarify any distinctions please let us know.
We also need this.
BTW, is the default 1 hour?
By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours.
saw it here: https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html
Also, can we extend the scope of this issue to include the possibility to have the token itself in an environment variable instead of a file? It could be called AWS_WEB_IDENTITY_TOKEN
.
The reason is that for example gitlab CI provides the token in an env variable of choice, but there is an extra step to create a file and pipe it there for the aws-cli compatibility.
The somebody would only do:
aws_job:
id_tokens:
AWS_WEB_IDENTITY_TOKEN:
aud: https://gitlab.com
variables:
AWS_ROLE_ARN: arn:aws:iam::0000000000:role/ServiceRole
AWS_ROLE_SESSION_NAME: GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}-${CI_JOB_ID}
AWS_ROLE_SESSION_DURATION_SECONDS: 3600
before_script:
- aws sts get-caller-identity
Describe the feature
An ENVIRONMENT variable to set the STS duration seconds, such as:
AWS_ROLE_SESSION_DURATION_SECONDS
Use Case
Imagine engineers wanting to use ENVIRONMENT variables for STS Assume Role/Assume Role with Web Identity and we want to override the default duration (seconds), there's already environment variables for:
AWS_ROLE_ARN
AWS_ROLE_SESSION_NAME
AWS_WEB_IDENTITY_TOKEN_FILE
In a CI/CD Pipeline (GitLab OIDC AWS Authentication), to reduce the amount of code, keeping the codebase simple and slim no need to call aws CLI sts commands but rather use environment variables - from a platform engineering/operational perspective easier to support and maintain.
.... however there is no environment variable to set
duration-seconds
, nothing shows up in this repository seemingly to suggest it's supported.Proposed Solution
No response
Other Information
No response
Acknowledgements
CLI version used
Pulling docker image amazon/aws-cli:latest ...
Environment details (OS name and version, etc.)
Mac OS Python/3.10.6 Darwin/22.1.0 source/x86_64