Proposal: Feature for automatically getting STS token via a configurable command

[msabramo]

I was going to look into implementing this and sending a PR but wanted to check if it's a good idea first.

I'd love if I could set in ~/.aws/config a key called get_token_command or such (open on better name...). If the user does an an AWS operation and gets back a "security token expired" error, then boto would invoke the configured command.

This is basically taking the idea of https://github.com/msabramo/aws-cli-get-token-command and pushing it down into boto, so that it can work with AWS CLI but also other Python programs that use boto.

What do folks think?

[JordonPhillips]

Automating away MFA kind of defeats the point. I can understand wanting a longer expiration time, but having a process automatically grabbing a new token isn't actually any different than just having a fixed policy with credentials scoped to what you need. You still have the power to rotate / revoke credentials when necessary.

Can I ask what your use case is? It could be that I'm missing something.

[msabramo]

Yeah, so we have an internal tool where we authenticate to our corporate system and it hands out a 1 hour session token for AWS CLI operations. This tool was designed as a Web UI and uses browser cookies and depending on whether or not your session is still valid, it might just give you the session token no questions asked or it may ask you to login with username and password and/or it may require MFA (I think it requires the MFA every 12 hours). However, we also have a command-line program that is able to spin up the web browser and grab the session token automatically, if you already have valid browser cookies and the authentication is not necessary yet.

So my hope here was to have a way to make boto fire off this command when my session token is expired. In most cases, this would hit the browser, get good cookies and automatically get a new session token and then rerun the operation.

[JordonPhillips]

Ah, so like being able to call off to another process to provide credentials / tokens. That makes a lot of sense and would be super useful for a number of other things.

[saskell]

I ran into a situation where this idea could have helped.

OR... if STS Temporary tokens were being used, boto could keep track of the expiration time, and when that time is hit it re-reads the ~/.aws/credentials file to see if some other process has updated the credentials. If the credentials have been updated then it uses them.