benkehoe
commented
11 months ago You are correct that credential_process is lower in precedence than the sso_* config fields (see the code here). credential_process is there as a backstop for SDKs (and versions of the CLI) that predate Identity Center support. See for example https://github.com/aws/aws-cdk/issues/5455 In those cases, the Identity Center config fields are ignored, but it will pick up the credential_process entry, which, when the profile name is the same (as it should be when autogenerated), that will pick up the Identity Center config in the profile and return credentials, allowing it to work.
You can disable this field in with --no-credential-process or with AWS_CONFIGURE_SSO_DISABLE_CREDENTIAL_PROCESS=true in the environment, docs for that are here.
At some undefined point in the future, when the number of extant tools not using a current SDK version has dwindled sufficiently, I'll change the default, but that'll be a major version rev.
bweisshaar-benchling
Hello,
I ran into this accidentally today when mass-renaming profiles for readability. It doesn't appear that the AWS cli considers credential_process at all, which isn't necessarily a bad thing, but it's super confusing and leads me to wonder why it's there at all. Consider the following config:
When I try something like
aws s3 ls --profile testit works fine without error, despite there being no profile of the nameMy-Account-Name.CoolRoleName.If you manually were to run
aws-sso-util credential-process --profile My-Account-Name.CoolRoleNameit errors out with "no such profile".This leads me to believe that it's entirely ignoring
credential_process, which again doesn't seem to be hurting anything, just creating config clutter. (I've since started using --no-credential-process but am still curious)