mcfedr
commented
2 years ago Has some relations to #142 but I dont handle the interactive flow for credential_process - instead assuming you use the non-interactive browser flow.
Open mcfedr opened 2 years ago
mcfedr
commented
2 years ago Has some relations to #142 but I dont handle the interactive flow for credential_process - instead assuming you use the non-interactive browser flow.
mcfedr
commented
2 years ago Closes ##225 and ##224 as all the commits are merged here.
There are two features that join into each other:
Browser Login:
Open the users web browser, let him login there, and then we catch the SAML. Its slightly annoying, because google will only send the SAML to a valid https server. To work around this, I have a server that can be hosted serverless-ly somewhere, and it will forward the SAML to http://127.0.0.1:8000, where the python client is waiting for it.
Credential Process:
AWS cli supports an config,
credential_process, that means it can trigger a process to get the credentials for a profile. These changes allow aws-google-auth to be this process. Now everything is magic.There are a couple of changes required for this - basically aws cli wont call the process if there are any keys in credentials file - even if its expired, but it also doesn't have its own credentials cache, so basically we write the creds to the credentials file under a different name and use this as a cache. I keep it in the credentials file so that the security properties as the same as normal.