Open mbamber opened 1 month ago
Seems like a good addition to the existing ways to fetch AWS creds. Feel free to contribute if you'd like.
I would like to try it.
Before starting I want to make sure that what you need is:
There is a provider that reads and uses the specified profile from a config file you provided (for example ~/.aws/config
) to call
get-caller-identity
and assume-role
to generate a short-term credential.
I don't think we should need to call assume-role
here - the AWS SDKs support loading credentials from this file directly - we would just need to essentially copy their implementation
What is the underlying problem you're trying to solve?
When working with OPA I need to supply aws credentials to download a bundle. Today I do this by providing static environment credentials, but these expire regularly and need to be refreshed.
I can currently generate credentials for aws via the
~/.aws/config
file using a named profile (e.g.aws sts get-caller-identity --profile my-profile
) which is helpful when working with multiple accounts/roles which have different levels of permissions and all expire quickly (within the hour).I have seen #2786 but this only supports credentials sourced from the
~/.aws/credentials
file, not the~/.aws/config
file.Describe the ideal solution
I would like to be able to supply a profile, similar to #2786, which will source credentials from my
~/.aws/config
profiles, instead of my~/.aws/credentials
profiles.