Implement recursive function to export only the AWS_PROFILE when using source_profile with credential_process

[shwethaumashanker]

loren Slack link now that i have assume working, i have an enhancement request... i think that when using assume with a profile configured with source_profile, and that source profile is itself configured to use granted credential_process, then assume should export only the AWS_PROFILE and not the full set of credential envs...

[shwethaumashanker]

Eric Miller Slack link

Hello, I have a UX note/question for assumed roles. Essentially, I have two profiles. SSO profile. This assumes by IdentityCenter role. Assumed role. This uses profile 1 to assume another role. Role #1 has credential_process = granted .... Role #2 does not. This has the effect that, when running assume profile-2, all of the env vars (e.g. session token) are exported. This has the effect that, when using assume , the credentials expire after 1h due to role chaining timeouts. I've been using export AWS_PROFILE= exclusively, but I'd rather if the folks I support could just use assume and get the "easy" result.

Two thoughts on how this could be implemented. One, we could implement a recursive function to implement this by default. Check the role assumption chain to see if anything uses credential_process.

isCredentialProcess(profile) -> bool:
  if profile.sourceProfile is not None:
    return isCredentialProcess(getProfile(sourceProfile))
  return profile.credential_process is not None

Two, we could implement a flag in the profile itself, e.g. granted_default_no_export = true that would have the same effect as credential_process on what variables are exported.

[sosheskaz]

The recursive function should probably also keep track of the set of profile names in the stack, in order to check for a loop.