search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.52k stars 1.32k forks source link

Support Loading AWS Credentials from Config Profiles #6889

Open mbamber opened 1 month ago

mbamber commented 1 month ago

What is the underlying problem you're trying to solve?

When working with OPA I need to supply aws credentials to download a bundle. Today I do this by providing static environment credentials, but these expire regularly and need to be refreshed.

I can currently generate credentials for aws via the ~/.aws/config file using a named profile (e.g. aws sts get-caller-identity --profile my-profile) which is helpful when working with multiple accounts/roles which have different levels of permissions and all expire quickly (within the hour).

I have seen #2786 but this only supports credentials sourced from the ~/.aws/credentials file, not the ~/.aws/config file.

Describe the ideal solution

I would like to be able to supply a profile, similar to #2786, which will source credentials from my ~/.aws/config profiles, instead of my ~/.aws/credentials profiles.

ashutosh-narkar commented 1 month ago

Seems like a good addition to the existing ways to fetch AWS creds. Feel free to contribute if you'd like.

yatesliang commented 3 weeks ago

I would like to try it. Before starting I want to make sure that what you need is: There is a provider that reads and uses the specified profile from a config file you provided (for example ~/.aws/config) to call get-caller-identity and assume-role to generate a short-term credential.

mbamber commented 3 weeks ago

I don't think we should need to call assume-role here - the AWS SDKs support loading credentials from this file directly - we would just need to essentially copy their implementation