Closed chrnorm closed 2 months ago
To test the PR -
~/.cf/config
doesn't exist and common_fate_url
is not present in the profile (i.e. no access request should be created if you don't have access to a particular role)assume
will prompt to request access if ~/.cf/config
is configuredassume
will prompt to request access, if ~/.cf/config
doesn't exist but the profile is set up with a common_fate_url
field, e.g.
[profile Sandbox-2/AWSAdministratorAccess]
granted_sso_start_url = https://d-12345abcdef.awsapps.com/start
granted_sso_region = ap-southeast-2
granted_sso_account_id = 123456789012
granted_sso_role_name = AWSAdministratorAccess
common_fate_url = https://commonfate.example.com
credential_process = granted credential-process --profile Sandbox-2/AWSAdministratorAccess
What changed?
Updates the JIT access integration to add support for requesting access to AWS roles via the new Common Fate platform (https://docs.commonfate.io/). This refactor also paves the way for supporting customisable hooks if a user tries to assume a role they don't have access to, as we can check for the
NoAccessError
error. The hooks could be used to trigger an external CLI or print a message to tell the user to consult some internal documentation.If
common_fate_url
is present in a particular profile, this URL will be used to request access:Why?
Glide is being deprecated - existing JIT integration needs to be updated.
How did you test it?
Tested manually - I've been running this myself for the last few weeks for my own AWS access.
TODOs
granted exp request
Potential risks
May affect existing Glide implementation until TODOs are resolved
Is patch release candidate?
No - minor release