Closed bweisshaar-benchling closed 11 months ago
You are correct that credential_process
is lower in precedence than the sso_*
config fields (see the code here). credential_process
is there as a backstop for SDKs (and versions of the CLI) that predate Identity Center support. See for example https://github.com/aws/aws-cdk/issues/5455 In those cases, the Identity Center config fields are ignored, but it will pick up the credential_process
entry, which, when the profile name is the same (as it should be when autogenerated), that will pick up the Identity Center config in the profile and return credentials, allowing it to work.
You can disable this field in with --no-credential-process
or with AWS_CONFIGURE_SSO_DISABLE_CREDENTIAL_PROCESS=true
in the environment, docs for that are here.
At some undefined point in the future, when the number of extant tools not using a current SDK version has dwindled sufficiently, I'll change the default, but that'll be a major version rev.
Ahh, I should have guessed it was a sort of legacy thing. No worries! Sounds like similar might have to be done for sso_session
as well. Thanks.
Hello,
I ran into this accidentally today when mass-renaming profiles for readability. It doesn't appear that the AWS cli considers credential_process at all, which isn't necessarily a bad thing, but it's super confusing and leads me to wonder why it's there at all. Consider the following config:
When I try something like
aws s3 ls --profile test
it works fine without error, despite there being no profile of the nameMy-Account-Name.CoolRoleName
.If you manually were to run
aws-sso-util credential-process --profile My-Account-Name.CoolRoleName
it errors out with "no such profile".This leads me to believe that it's entirely ignoring
credential_process
, which again doesn't seem to be hurting anything, just creating config clutter. (I've since started using --no-credential-process but am still curious)