Open rpattcorner opened 1 year ago
Hi @rpattcorner,
In our use case, role chaining is accomplished using native AWS CLI features, e.g.:
[profile base-adfs-profile]
credential_process=aws-adfs login --region=us-east-1 --role-arn=arn:aws:iam::1234567891234:role/example-role --adfs-host=adfs.example.com --stdout
[profile chained-profile]
role_arn = arn:aws:iam::2345678912345:role/my-role
source_profile = base-adfs-profile
Regarding credential_process
, it is the responsibility of the invoked command to cache credentials if desired:
Note: The AWS CLI does not cache external process credentials the way it does assume-role credentials. If caching is required, you must implement it in the external process.
See https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
Many thanks @pdecat . That's really helpful!
aws-adfs
offers some serious advantages over our current bash scripting for AD-based credentials. But for it to be useful in the use cases I have, I'll need to extend it ... either from the outside (in a script wrapper) or by forking and extending (obviously harder!). How have people extended it up to now architecturally?The main issue and use case is role chaining. There is a series of accounts that users access by:
This architecture is quite common with the advent of AWS Organizations and account-per-project architectures. So I wonder if anyone solved this chaining scenario using
aws-adfs
?If not:
--printenv
. I assume that's the way to move forward in a wrapper script?aws-adfs
do the chaining? If so, is there an obvious place to put the secondary configuration, e.g. all role arns the initial role can chain toThen there's time limits, especially with role chaining. I see from your example that
aws-adfs
can be placed (manually?) in the ~/.aws/config like this:but it's not clear from the AWS doc how that command is activated. Is this
credential_process
something that is somehow automatically run as temporary creds expire? How is that line processed/run/made effective?If we were able to usably extend to chained roles,
credential_process
might solve the problem of long-running jobs dying after the statutory one hour lifetime on chained creds.Anyway, thoughts welcome! Thanks for a great capability!