New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for specifying AWS profile by name? #71
Comments
The go SDK supports the standard AWS credentials chain so using the It would look something like: export AWS_DEFAULT_PROFILE=foo
heptio-authenticator-aws token |
Thanks, I'm aware of that. My use case is that my team works with environments split across many different AWS environments, so it's handy to be able to explicitly set AWS profiles by name in config files, rather than having to keep updating env vars! |
I believe I understand your use-case. For tools other than authenticator, I even wanted to share AWS_DEFAULT_REGION across my colleagues for motivation similar to yours, but I eventually ended up just using direnv. Of course you can use any tool other than direnv for that, but in general, achieving the goal out of authenticator has a benefit that:
Also I have a few concerns on supporting it within authenticator:
That being said, yes, the suggest feature would definitely be handy! But I believe we outgrow it given the edge-cases I've noted above. WDYT? |
@kwerey Is it helpful that with 1.10 support merged, you can specify a user in your kubeconfig like so:
Where you can specify the usual environment variables, i.e. AWS_PROFILE, in that file? This configuration would take the credentials from the dev profile in your aws config file, then use those credentials to assume |
Sorry for the slow response on this one @mumoshu , I got pulled away from container work for a while! Direnv or other tools to just streamline configuring the environment is a neat way of avoiding this - but because we have a relatively wide pool of people with diverse environments involved in maintaining container environments in my shop, we can't make a one-size-fits-all set of environment config easily, whereas we can standardise profile names and specify them in config self-contained without having to use third party tools or "and now copy&paste this into your bash profile". Specifying account/region for AWS config-as-code resources also seems like a valuable guarantee to me that prod config will only ever get applied to the relevant prod environment... Hmm. I don't have the same expectations as you about priority/overrides. Mine are set by Boto (the python SDK), which is the first tool I used for interacting with AWS APIs. That has this order of priority for credentials. Top to bottom as highest priority to lowest:
That ordering makes a lot of sense to me - use explicit values if specified, if not use a well-known order to determine which creds get used by preference. I assume the go SDK does the same - if you explicitly set a value, it gets used, if not, default to the environment. The thing I see as a bigger drawback of wanting to specify named credentials for AWS accounts in config is actually something else: it can trip you up when you want to move from individual hosts doing orchestration work, to running the work from Jenkins or another CI tool that runs on an EC2 instance and using an IAM role. We ran into this using Ansible for build/orchestration, and when we moved those workloads into a fully CI integrated stack we ended up kinda hackishly using sed to comment out profile names so let the instance profile creds take priority! Anyway, if this isn't part of your plan at the moment that makes sense. @nckturner - thanks, will take a look. |
Awesome, let us know if it doesn't support your use-case. |
Thanks for pointing that out @nckturner! I actually stumbled upon this as a solution for for setting up kubeconfig for EKS. Specifying the profile is especially important... otherwise, it might pull the wrong IAM credentials and would not auth accordingly. |
Hi Heptio crew,
This tool is neat! Thanks!
I wanted to ask:
Is there currently support for specifying an AWS profile by name in the tool? As far as I can tell that isn't possible currently, - is that right?
If not, do you have any interest in supporting that feature?
My use case is "we operate in many AWS accounts, and want it to be impossible to auth into the wrong one", so being able to be explicit about which account a cluster belongs to in a configuration file is valuable.
It seems like you could optionally pass a profile_name parameter to the Go SDK's NewSessionWithOptions function with minimal disruption to anything else https://github.com/heptio/authenticator/blob/master/pkg/token/token.go#L149. I'm curious if it's something you've thought about adding/if you'd welcome a PR to add it.
thanks
Nikki
The text was updated successfully, but these errors were encountered: