Open shwethaumashanker opened 7 months ago
Eric Miller Slack link
Hello, I have a UX note/question for assumed roles. Essentially, I have two profiles. SSO profile. This assumes by IdentityCenter role. Assumed role. This uses profile 1 to assume another role. Role #1 has credential_process = granted .... Role #2 does not. This has the effect that, when running assume profile-2, all of the env vars (e.g. session token) are exported. This has the effect that, when using assume
, the credentials expire after 1h due to role chaining timeouts. I've been using export AWS_PROFILE= exclusively, but I'd rather if the folks I support could just use assume and get the "easy" result. Two thoughts on how this could be implemented. One, we could implement a recursive function to implement this by default. Check the role assumption chain to see if anything uses credential_process.
isCredentialProcess(profile) -> bool: if profile.sourceProfile is not None: return isCredentialProcess(getProfile(sourceProfile)) return profile.credential_process is not None
Two, we could implement a flag in the profile itself, e.g. granted_default_no_export = true that would have the same effect as credential_process on what variables are exported.
The recursive function should probably also keep track of the set of profile names in the stack, in order to check for a loop.