The Credential Process assumer should only set AWS_PROFILE, not other variables

[chrnorm]

If users have a credential_process configured, the AWS CLI automatically handles refreshing credentials when they expire.

[profile my-profile]
credential_process = some-other-cli

However, when running assume my-profile the AWS CLI will not automatically refresh credentials. This is because we are exporting AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.

We should detect if a credential_process is in use and then only set AWS_PROFILE. We should not set any of the env vars listed above, as they cause the AWS CLI to not automatically refresh credentials.

[tomharrisonjr]

@chrnorm -- this would be a really valuable feature, potentially solving several problems in one shot, I think:

• needless refresh, as noted in the description
• multiple terminal windows open with env vars that report AWS_SESSION_EXPIRATION relative to their last refresh, rather than the most recent one
• incompatibilities with tools that are configured to use profiles ... but pick up the env vars instead (and again, could be multiples if you have multiple terminal windows open

[ajonnavi]

+1 to this request. We have been trying to adopt this tool org wide, and having to --export on every terminal window is painful. It would be great \if the option could only populate the credentials file and set AWS_PROFILE variable.