Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support passing in a credential-helper-cmd #5164

Draft
wants to merge 5 commits into
base: master
from

Conversation

@Sutto
Copy link
Collaborator

Sutto commented Dec 11, 2019

We have a situation where we assume a role in another account from where
the command is run, and want to allow using credentials for said account.

We can't use assumption directly in C7N - There are situations where we want
our additional capabilitys - and passing in credentials as environment
variables doesn't include refreshability.

This adds a new binary argument, which specifies a commnand to invoke

  • allowing us to implement custom, refreshable auth using a command line
    program.
We have a situation where we assume a role in another account from where
the command is run, and want to allow using credentials for said account.

We can't use assumption directly in C7N - There are situations where we want
our additional capabilitys - and passing in credentials as environment
variables doesn't include refreshability.

This adds a new binary argument, which specifies a commnand to invoke
- allowing us to implement custom, refreshable auth using a command line
program.
@kapilt

This comment has been minimized.

Copy link
Collaborator

kapilt commented Dec 11, 2019

Could you clarify the inability to assume using c7n builtin support for that re

We can't use assumption directly in C7N - There are situations where we want
our additional capabilitys - and passing in credentials as environment
variables doesn't include refreshability.

We generally don't add one off deployment hacks, while I appreciate this was done in a general way, its unclear why it would be useful to any other user. There's also the notion that this would need to be stripped for lambda configuration since we upload cli flags by default there.

@Sutto Sutto force-pushed the Sutto:credential-helper-program branch from 0662726 to ac7ccb5 Jan 13, 2020
@Sutto Sutto force-pushed the Sutto:credential-helper-program branch from dd301a1 to 86d2014 Jan 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.