ssh forward credentials to remote hosts

[synfinatic]

Is your feature request related to a problem? Please describe.

Imagine a user using ssh to a remote host and wanting to use AWS. Right now, they have to configure aws-sso on each of these hosts and also authenticate on each host.

Describe the solution you'd like

Ideally this should be easy to use... maybe some other kind of credential_process command? Or perhaps via the AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable which uses ssh?

Not sure if this is just documentation or tooling at this point. The problem with the container URL trick is you need to "load" the credentials before using and that is a bit annoying. Need to consider the security implications of what is going on.

[synfinatic]

One interesting/questionable option is to use the ECS server feature, but the slots should be well defined (profile name) and so a request to a slot could succeed, even if the slot was not previously "loaded". In a perfect world, users should be prompted before we ask AWS for the creds? The ecs server could even run the open command to get the browser to do SSO.

it's worth noting that named profiles in ~/.aws/config can point to the ECS container via credential_source = EcsContainer and then setting the necessary ENV var. But there does not seem to be any way to specify the URL in the config file! Hence using the credential_process is probably best?