You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
aws-adfs offers some serious advantages over our current bash scripting for AD-based credentials. But for it to be useful in the use cases I have, I'll need to extend it ... either from the outside (in a script wrapper) or by forking and extending (obviously harder!). How have people extended it up to now architecturally?
The main issue and use case is role chaining. There is a series of accounts that users access by:
Authenticating with AD (scripted) which accesses a neutral role with only privileges to assume other roles in other accounts
Chaining to target roles in the target accounts using the initial AD role assume credentials
This architecture is quite common with the advent of AWS Organizations and account-per-project architectures. So I wonder if anyone solved this chaining scenario using aws-adfs?
If not:
I see current code can write the temporary creds to the usual environment variables for postprocessing via --printenv. I assume that's the way to move forward in a wrapper script?
Is there an obvious point in code to internally extend the functionality and have aws-adfs do the chaining? If so, is there an obvious place to put the secondary configuration, e.g. all role arns the initial role can chain to
Is there an existing mode where current code can be addressed as a python library from a custom python wrapper?
Other thoughts?
Then there's time limits, especially with role chaining. I see from your example that aws-adfs can be placed (manually?) in the ~/.aws/config like this:
but it's not clear from the AWS doc how that command is activated. Is this credential_process something that is somehow automatically run as temporary creds expire? How is that line processed/run/made effective?
If we were able to usably extend to chained roles, credential_process might solve the problem of long-running jobs dying after the statutory one hour lifetime on chained creds.
Anyway, thoughts welcome! Thanks for a great capability!
The text was updated successfully, but these errors were encountered:
Regarding credential_process, it is the responsibility of the invoked command to cache credentials if desired:
Note: The AWS CLI does not cache external process credentials the way it does assume-role credentials. If caching is required, you must implement it in the external process.
aws-adfs
offers some serious advantages over our current bash scripting for AD-based credentials. But for it to be useful in the use cases I have, I'll need to extend it ... either from the outside (in a script wrapper) or by forking and extending (obviously harder!). How have people extended it up to now architecturally?The main issue and use case is role chaining. There is a series of accounts that users access by:
This architecture is quite common with the advent of AWS Organizations and account-per-project architectures. So I wonder if anyone solved this chaining scenario using
aws-adfs
?If not:
--printenv
. I assume that's the way to move forward in a wrapper script?aws-adfs
do the chaining? If so, is there an obvious place to put the secondary configuration, e.g. all role arns the initial role can chain toThen there's time limits, especially with role chaining. I see from your example that
aws-adfs
can be placed (manually?) in the ~/.aws/config like this:but it's not clear from the AWS doc how that command is activated. Is this
credential_process
something that is somehow automatically run as temporary creds expire? How is that line processed/run/made effective?If we were able to usably extend to chained roles,
credential_process
might solve the problem of long-running jobs dying after the statutory one hour lifetime on chained creds.Anyway, thoughts welcome! Thanks for a great capability!
The text was updated successfully, but these errors were encountered: