search

cevoaustralia / aws-google-auth

Provides AWS STS credentials based on Google Apps SAML SSO auth (what a jumble!)
MIT License
537 stars 181 forks source link

User Experience issue: use of $AWS_PROFILE sometimes results in data loss #244

Open bddap opened 2 years ago

bddap commented 2 years ago

Setting AWS_PROFILE usually means "I want to use this profile to run commands." aws-google-auth interprets is as "I want to overwrite the credentials for this profile."

I've been bitten by this a few times. The problem is that I often already have the environment variable set to some other profile.

export AWS_PROFILE=foo

I run aws-google-auth to refresh the credentials for the sts profile. Instead of updating the sts profile it overwrites the foo profile, deleting the credentials that were there already.

Use of the AWS_PROFILE variable may sometimes result in exactly the right thing happening, but sometimes results in undesired behavior.

If you haven't seen it already, I can highly recommend checking out https://clig.dev, a list of cli best practices. In this case AWS_PROFILE probably counts as a "widely used name".

Anyway, my workaround is be careful to always set the flag --profile sts but it's possible other users have accidentally deleted their credentials in the same way.

A Solution

Perhaps read from AWS_GOOGLE_AUTH_PROFILE instead?