shell-plugins icon indicating copy to clipboard operation
shell-plugins copied to clipboard

Published 20 hours ago verified publisher icon 1Password

AWS - Support for acting as credential process

Open elyscape opened this issue 2 years ago • 5 comments
trafficstars

Platform or tool

AWS

Desired or expected behavior

The AWS CLI and SDKs have the ability to read credentials from an external process over stdin if the user sets credential_process in the config file. It would be nice if op supported this functionality for AWS and, more broadly, had the ability to support this kind of functionality for other tools.

Current behavior

The AWS plugin invokes aws after setting environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and potentially AWS_SESSION_TOKEN and AWS_DEFAULT_REGION.

Further discussion

The current approach works fine, but it does mean that:

  1. Only the AWS CLI is supported, not the SDKs.
  2. Credentials are present in the environment for aws and may be read by (for example) EDR software.
  3. Aliases and wrapper scripts that call aws can't easily make use of this functionality.
  4. Supporting different credentials for different AWS CLI/SDK profiles is non-trivial (cf. #130).

By adding the ability to act as a credential_process for AWS specifically, and more generally supporting this kind of mechanism for other tools, these issues can all be fairly simply resolved.

op CLI version

6.13.1

elyscape avatar Feb 07 '23 23:02 elyscape

IMO, AWS Vault already solves this masterfully.

skyzyx avatar Feb 23 '23 21:02 skyzyx

@elyscape said:

Only the AWS CLI is supported, not the SDKs.

I guess I don't understand. The AWS CLI is built atop the Python SDK, and all SDKs implement the same auth logic (source: I was a founding member of the SDK/CLI team at AWS).

Oh, wait — do you mean because it maps to aws? Yeah. IMO, mapping the commands to a specific binary is a premature optimization in 1P's implementation.

skyzyx avatar Feb 23 '23 21:02 skyzyx

IMO, AWS Vault already solves this masterfully.

Right but I think the idea is to be able to store credentials in 1P and not separate them, which you'd have to do if you used AWS Vault.

Volatus avatar Mar 06 '23 12:03 Volatus

I manage over 180 AWS accounts.

If you have one or two accounts configured as IAM users with a key and secret, it's not that bad.

AWS Vault integrates with AWS SSO, integrates with all AWS SDKs and CLI using the native ~/.aws directory, and generates session credentials automatically — which are all best practices for using AWS at scale.

skyzyx avatar Mar 06 '23 22:03 skyzyx

According to AWS documentation, to work as a credential_process, the plugin would just need to return credentials in a json format.

That would enable users to automatically switch profiles that refers to different aws accounts, eliminating the need to invoke op plugin init aws. That I think, contrary to being premature optimization, would be a significant quality of life improvement.

Users would be able to seamlessly switch profiles/accounts without having to issue a single command, while also provide MFA TOTPs automatically when assuming roles.

lukeemhigh avatar Mar 30 '25 12:03 lukeemhigh

upvote for this

fentonfentonfenton avatar Jun 17 '25 12:06 fentonfentonfenton