You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We would like to to have the ability to use an external credentials process to authenticate with AWS.
The specific use case we encountered was the that of an initially unprivileged user
assuming a privileged role that requires MFA authentication. By using the AWS CLI's aws configure export-credentials feature, it is possible to delegate the MFA authentication to the CLI, and then reuse the CLI's cached session token.
This feature would mostly be helpful for interactive CLI users of Bolt, but the general purpose nature of the external mechanism might apply to other cases as well.
Describe the Solution You Would Like
A new parameter causes the inventory plugin to run an external process credentials command and use the resulting session token for accessing the AWS API.
Describe Alternatives You've Considered
Attempts to use a static credentials file with the credential_process setting resulted in uninitialized class variable errors. Attempts to generate a static credentials file containing a session token obtained from aws configure export-credentials also failed.
After these failures it seemed worth seeing if the desired behavior of using aws configure export-credentials (particularly the CLI session cache) could be added directly to the inventory plugin. Adding an alternative credential_process parameter that uses the underlying AWS SDK function proved to work in our environment. The result is submitted in PR #23.
The text was updated successfully, but these errors were encountered:
I can report that since I submitted this PR, we have successfully used the inventory plugin with AWS SSO based CLI sessions. Again, please let me know if there is anything I can do to assist with the review.
Use Case
We would like to to have the ability to use an external credentials process to authenticate with AWS.
The specific use case we encountered was the that of an initially unprivileged user
assuming a privileged role that requires MFA authentication. By using the AWS CLI's
aws configure export-credentials
feature, it is possible to delegate the MFA authentication to the CLI, and then reuse the CLI's cached session token.This feature would mostly be helpful for interactive CLI users of Bolt, but the general purpose nature of the external mechanism might apply to other cases as well.
Describe the Solution You Would Like
A new parameter causes the inventory plugin to run an external process credentials command and use the resulting session token for accessing the AWS API.
Describe Alternatives You've Considered
Attempts to use a static credentials file with the
credential_process
setting resulted in uninitialized class variable errors. Attempts to generate a static credentials file containing a session token obtained fromaws configure export-credentials
also failed.After these failures it seemed worth seeing if the desired behavior of using
aws configure export-credentials
(particularly the CLI session cache) could be added directly to the inventory plugin. Adding an alternativecredential_process
parameter that uses the underlying AWS SDK function proved to work in our environment. The result is submitted in PR #23.The text was updated successfully, but these errors were encountered: