Why do credentials default to ~/.aws/credentials ?

[imduffy15]

  --aws-shared-credentials-file  AWS shared credentials file
                                 [default: "/Users/ruimarinho/.aws/credentials"]

This argument enables us to specify a credentials path for gsts to use. I'm confused as to why it globbers the ~/.aws/credentials file rather than creating and using its own file.

gsts uses this file for the storing of temporary credentials, when they expire it renews them. However, when written to this specific file awscli will always prefer the files entry over the credential_process output.

As such, when credentials expire they are not auto renewed.

Flow with using the default ~/.aws/credentials:

• Runs an AWS command
  • gsts gets executed
  • ~/.aws/credentials is generated
  • Runs an AWS command
  • ~/.aws/credentials is read and credentials from there are used
  • Credentials expire
  • Runs an AWS command
  • Command fails
  • Runs an AWS command
  • Command fails
  • ....

Flow with using anything other than ~/.aws/credentials:

• Runs an AWS command
• gsts gets executed
• gsts generates its own credentials file, and returns them to awscli via its --json output
• Runs an AWS command
• gsts reads its own credentials file and returns them to awscli via its --json output
• Credentials expire
• Run an AWS command
• gsts reads its own credentials file, sees the credentials have expired, renews them, saves them, returns them to awscli via its --json output

I believe defaulting this argument to anything other than ~/.aws/credentials would result in a better user experience.

[imduffy15]

Also see https://ben11kehoe.medium.com/never-put-aws-temporary-credentials-in-env-vars-or-credentials-files-theres-a-better-way-25ec45b4d73e

[donfiguerres]

Noting here that using a separate credentials file is mentioned as a workaround in one of the comments in the aws-cli project for the same issue. reference: https://github.com/aws/aws-cli/issues/5109#issuecomment-1277449832

[ruimarinho]

This is a legacy issue when porting over from aws-google-auth. I agree, it doesn't make sense to touch this file.

gsts has been refactored to focus its primary function on serving as good credential_process citizen under https://github.com/ruimarinho/gsts/pull/82, which will be released as the next major. It will automatically output json when not in TTY mode and it will not use ~/.aws/credentials anymore.

Thanks for the feedback!