chrnorm
commented
2 months ago To test the PR -
- Ensure existing behaviour is retained when
~/.cf/configdoesn't exist andcommon_fate_urlis not present in the profile (i.e. no access request should be created if you don't have access to a particular role) - Check that running
assumewill prompt to request access if~/.cf/configis configured - Check that running
assumewill prompt to request access, if~/.cf/configdoesn't exist but the profile is set up with acommon_fate_urlfield, e.g.[profile Sandbox-2/AWSAdministratorAccess] granted_sso_start_url = https://d-12345abcdef.awsapps.com/start granted_sso_region = ap-southeast-2 granted_sso_account_id = 123456789012 granted_sso_role_name = AWSAdministratorAccess common_fate_url = https://commonfate.example.com credential_process = granted credential-process --profile Sandbox-2/AWSAdministratorAccess
What changed?
Updates the JIT access integration to add support for requesting access to AWS roles via the new Common Fate platform (https://docs.commonfate.io/). This refactor also paves the way for supporting customisable hooks if a user tries to assume a role they don't have access to, as we can check for the
NoAccessErrorerror. The hooks could be used to trigger an external CLI or print a message to tell the user to consult some internal documentation.If
common_fate_urlis present in a particular profile, this URL will be used to request access:Why?
Glide is being deprecated - existing JIT integration needs to be updated.
How did you test it?
Tested manually - I've been running this myself for the last few weeks for my own AWS access.
TODOs
granted exp requestPotential risks
May affect existing Glide implementation until TODOs are resolved
Is patch release candidate?
No - minor release