Authenticate to AWS using custom profile

[JamieCressey]

Allow users to provide a profile name to use when authenticating against AWS

[krobertson]

I'll look into this... prefer to be able to have it automatically pick one up.

[bacoboy]

When dealing with multiple accounts, sometimes there is no default.

There are really 2 things needed to be complete:

1. specify a non default profile (from ~/.aws/credentials)
2. specify as role ARN to assume. The SDK doesn't read ~/.aws/config like the aws CLI does, you need to call STS to assume roles.

So in my case, I have keys for an account, but need to assume a role in another account to perform the operation. For instance my config might look like this:

% cat ~/.aws/config
[production]
region = us-east-1

[profile admin]
role_arn = arn:aws:iam::XXXXXXXX:role/Admin
source_profile = production
region = us-east-1

My S3 operation on the CLI might look like this:

aws --profile admin s3 sync XXXXX

Under the hood, the CLI uses the production credentials in ~/.aws/credentials and then assumes the role via STS.

If you can support both these case, you'll be perfect. The SDK does the first one automatically for you if you use the default credentials provider chain. The STS role assumption stuff you'll need to add more code for.

[alex-pw]

Here is an example diff that lets me set role-arn via the CLI. It would be more ideal to respect the aws config files properly, but this is a quick workaround. I haven't yet figured out where to put the force_path_style option for the STS connection.

patch.diff.txt

[bacoboy]

Nobody parses the config file except the aws cli that I have found. I did something similar for unicreds here.

Your patch looks more or less correct. The role arn is just an updated config you use in the client setup. The force_path_style seems to be s3 specific and not related to the credentials setup. I'd pull that block out of the if/else to update the config if role arn is specified.