Closed tzz closed 11 years ago
Is your thought that the credentials should be secure, so that interactive use would obtain the key from the user or the user's session? Many people use "aws" in scripts, in which case, securing the credentials doesn't make sense, unless I am misunderstanding your goal.
Also, please confirm that you are familiar with IAM, which lets you create credentials that restrict the activity.
I don't use IAM but know about it. The aws
docs lean towards storing credentials locally unencrypted (either in the command history or in a file). This works fine for most people, of course, but some don't want to do it, and don't want to invest into a full IAM setup. So:
.gpg
file, assuming the user knows what he's doing..authinfo
and .netrc
formats are simply a convenience for those, like me, that keep all their credentials in a single file instead of a special file for each application.Thanks for the additional details on your use cases. I do see how the encryption is interesting. Unfortunately, I'm swamped with my startup, and I don't see myself adding this feature any time soon. I would be interested in merging it if somebody else implemented.
I'll think about it some more.
I can definitely add .authinfo
and .netrc
parsing and document it. I just need you to decide how the option should be specified: should it automagically use them if .awssecrets
is not available? Or explicitly somehow?
I can also add the GPG calls, again if you tell me how it should be configured. I assume it's OK to just exec("gpg") and rely on the PATH to be right? Or do you want it to be something specific, like curl
is specified?
I can also write the Git credential plugin. It definitely needs to be configured with (protocol, host, path)
. Those should be mapped into aws
, perhaps simply protocol = aws
, host = aws
, and path
is empty. Or they could be configurable from the command line.
It should simply automatically detect the other sources of keys. You'll see code already there that makes a decision about several different sources for the keys.
I suppose it's ok to rely on the path. I do believe it relies on the path to find curl, though it might have to do some fiddling to support Windows. I don't recall the details. (But that's the great thing about interpreted languages... it's all right there.)
Keep in mind I don't like dependencies. People should be able to download and run it without installing anything else. (curl is alredy there in most cases.) I did just merge JSON support that loads modules only if needed, but most people won't use that feature, so it's invisible to them.
I won't add module dependencies for any of this. Let me know what parts of my proposal you'd like me to implement and I'll do it as a pull request (multiples, if possible). I don't want to assume you're OK with all of it, so better to be explicit. :)
Thanks.
Ted,
It all sounds good, as long as it isn't a lot of code... Load time for "aws" is already a problem.
...Tim
On Fri, Feb 1, 2013 at 8:58 AM, Ted Zlatanov notifications@github.comwrote:
I won't add module dependencies for any of this. Let me know what parts of my proposal you'd like me to implement and I'll do it as a pull request (multiples, if possible). I don't want to assume you're OK with all of it, so better to be explicit. :)
Thanks.
— Reply to this email directly or view it on GitHubhttps://github.com/timkay/aws/issues/39#issuecomment-13002969.
Timothy Kay m: +1-650-248-0123 Skype: timkay Boopsie - Why search when you can FIND!
OK, just the Git credential support is left. I am writing the netrc credential helper itself; the way it works is that you call git-credential-netrc --file AUTHFILE get
and then you print to the helper host=X\nusername=Y
. In response the helper will print whatever it finds that matches those criteria. I'll update here when I propose it to the Git folks. Thanks.
I've now implemented all the items I listed in this issue, so if you accept pull request #41, this issue can be closed as well.
This is done, I think.
Currently
~/.awssecrets
is unencrypted, which is a pain. I propose:~/.awssecrets.gpg
which is decrypted through GPG~/.authinfo
and~/.netrc
(format TBD, also should support .gpg extension)aws
could talk that protocol, see http://www.kernel.org/pub/software/scm/git/docs/technical/api-credentials.html (the idea being that this supports secure credential storage outside theaws
codebase, simplifying things)