search

common-fate / granted

The easiest way to access your cloud.
https://granted.dev
MIT License
1.01k stars 93 forks source link

add a caching mechanism to assume #447

Closed orenmazor closed 11 months ago

orenmazor commented 1 year ago

What changed?

Inspired by https://github.com/common-fate/granted/issues/371, I duplicated the credential caching mechanism from credential_process.go

Why?

In my use case, I have the following setup, where I use 1password cli as the credentials source:

[profile oren]
region=us-east-1
credential_process=op --account agilebits.1password.com plugin run -- aws configure export-credentials

[profile someaccount]
source_profile=oren
role_arn=arn:aws:iam::x:role/sudo
mfa_serial=arn:aws:iam::x:mfa/oren.mazor
region=us-east-1

my issue is that I've got about 20 accounts and all of them require entering MFA. this is a pain in the butt and I'd like granted to cache the resulting MFA credentials

How did you test it?

I've deployed this on my own machine and have been working with this today in both terminal and console features.

so far so good!

Potential risks

I don't know enough about other folks use cases with granted. I'm not sure if I broke something here, so before I spend any more time DRYing things up (the same code is in credential process, assume terminal and assume console), I wanted to get some feedback!

Is patch release candidate?

Link to relevant docs PRs

Eddie023 commented 11 months ago

Hi @orenmazor Thanks for contributing to granted! Looks like you have added a top-layer caching mechanism to the assume command. However, there are multiple types of assumer some of which doesn't/cannot use securestorage.NewSecureSessionCredentialStorage(). I have added a fix in this PR where we instead cache inside of the IAM_ASSUMER. This way the session credentials are still cached and you do not have to re-enter the MFA code.