search

cevoaustralia / aws-google-auth

Provides AWS STS credentials based on Google Apps SAML SSO auth (what a jumble!)
MIT License
537 stars 181 forks source link

.aws/config google_config.keyring setting overriden #153

Open christoph-buente opened 4 years ago

christoph-buente commented 4 years ago

I set my ~/.aws/config up with several profiles. When i want to refresh my tokens, i want the google password to be read from my keychain (which i set up earlier). So this is what the config looks like.

[profile my-admin-profile]
region = us-east-1
google_config.ask_role = False
google_config.keyring = True
google_config.duration = 3600
google_config.google_idp_id = IDP_ID
google_config.role_arn = role_arn
google_config.google_sp_id = SRV_ID
google_config.u2f_disabled = False
google_config.google_username = me@company.org

When calling aws-google-auth with just one parameter telling it the profile name to read from, it asks for the password, not honouring the google_config.keyring = True setting.

$ aws-google-auth -p my-admin-profile
Google Password:

And even worse, it sets the config to False. So next time i try to refresh the tokens, it asks for the password again. The only way to remedy it, is to set the -k parameter. Is this intended behaviour? But i guess if you want to switch keychain off, there is another "negative" parameter needed, like -K to actively indicate you don't want the keychain and thne overriding the config file. Any thoughts are appreciated.

stevemac007 commented 4 years ago

Having this value in the config is a bit missleading - the original design intention was that the -k be supplied to use the Keyring otherwise prompt for password - which I believe is the current behaviour. It does make it look like this can be configured on with the config.

I guess we either have 2 ways forward:

  1. Drop the google_config.keyring from the config
  2. Rework the logic so that it actually uses the config

The second option then does need something to negate this as you suggested. I like the -K option.

Happy to gain feedback from the community around direction on this one.

christoph-buente commented 4 years ago

Thanks @stevemac007 for clarification. If the line in the config files doen't do anything except mislead people, I would opt for dropping it.

forsberg commented 4 years ago

I would appreciate being able to set it via the configuration, i.e not having to add -k to every command line using aws-google-auth.

stevemac007 commented 4 years ago

I agree with @forsberg - personal preference would like the keyring value to be stored. If I get a chance I'll look at making it work, otherwise would happily review a PR for this.