Closed admackin closed 2 weeks ago
Thanks for raising this @admackin. Some context: the disadvantage to adding --auto-login
by default is that if Granted is run in a terminal-only environment (say, on an EC2 instance), --auto-login
causes the credential process to hang without printing any output. This is due to a limitation in the AWS CLI, which doesn't print any credential process stderr/stdout until after the credential process finishes executing.
As a workaround, you can currently set a global variable to always automatically login:
granted settings set --setting=CredentialProcessAutoLogin --value true
I am thinking though we should improve our default behaviour to something like the following:
granted sso login
We will need to test that the terminal-only detection works properly though. Any ideas here are most welcome!
Ah yes that all makes sense, thanks @chrnorm ! Is that setting documented anywhere? It would probably cover my use case. I searched on the site and it didn't come up but I may have missed it.
It sounds like until auto login has described behaviour my proposal would only work as an opt in flag to sso populate
then? Your idea sounds much better but I don't have any special expertise to offer on it.
Up to you whether to close this issue
Further to above: can I suggest you document the above setting here? I had a look at opening a PR to do that but it doesn't look like the docs site is open source?
Thanks @admackin, I've added a section to our docs here: https://docs.commonfate.io/granted/recipes/credential-process#global-auto-login.
I've also open sourced our docs here! https://github.com/common-fate/docs. We migrated from Docusaurus to Mintlify a while ago and our initial Mintlify docs repo was closed source. This is now fixed and docs contributions are most welcome.
The Credential Process feature is great, and so is the
--auto-login
flag. However this field is not set when usinggranted sso populate
leading to authentication failures when using auto-generated profiles.I think the flag should be added automatically (is there any disadvantage?), but it might make sense to allow users to opt out