Adapter based AuthCache and including caches in project supervision tree #588
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Well rats, I wished this got developed. I have a need for AssumeRoleWithWebIdentity and requires querying STSAssumeRole. Chances are, AWS will continue to come up with more auth methods. |
|
Hey - since this doesn't seem to have progressed in a few years, I'm going to close it. @kingoftheknoll thanks for the thoughtful contribution - I'd definitely be interested in seeing it developed, and would be happy to help out if you wanted to progress it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I'm working on a project where we are continually harvesting infrastructure data from AWS across hundreds of accounts. This is certainly not the typical use case since most projects USE Amazon, we interrogate it. So part of making requests is fetching and decrypting credentials. If we only used standard access/secret credentials this wouldn't be as much of an issue because I can pass them to
ExAws.requestas options but AssumedRole and STSAssumed role are very much used.While my specific use case with lots of accounts is rare, I think there's some shared commonality with those fetching credentials from Vault, etcd or some other secret store. For me, I want to spin up a process for account under a dynamic supervisor with the child_spec matching the credential type of the technique I'm using. Then when calling
ExAws.requestI can pass in an option for the pid or MFA to call to retrieve and merge the credentials. The pid I would look up from my registry.I think this pattern has the added benefit of breaking up the current AuthCache into more specific modules. A user would add
ExAws.Config.ApiKeysorExAws.Config.STSAssumedRoleorExAws.Config.CLIProfileto their supervision tree depending on their credential type. The community could then contribute adapters for third party services. You could also get the same clean interface withExAws.requestif your cache is given a standard name viaGenServer.start_linkwhich would be implicitly called for the standard user. Having a user add the cache to their supervision tree would allow ExAws to eventually just ship as a library rather than an application. But I do think this can be done without breaking changes.I threw together a quick example of my idea for illustrative purposes. I'm not a big fan of the MFA call but I'm not sure of a better way at the moment since there's not a single module to act as an interface at the call site.
Thanks so much for your hard work on this great project and I look forward to your feedback!