Support credential_process feature of CLI

[hoegertn]

It would be great to support: http://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes

I think #109 and #55 need to be implemented before this and caching of the temp credentials has to work.

This would be the best integration into the CLI I think.

[fdamstra]

Another vote for this. It would be nice to have authentication happen transparently through the credential_process directive in ~/.aws/credentials.

Some additional information is here: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

To support this, the script needs to generate output of the following format:

{
  "Version": 1,
  "AccessKeyId": "an AWS access key",
  "SecretAccessKey": "your AWS secret access key",
  "SessionToken": "the AWS session token for temporary credentials", 
  "Expiration": "ISO8601 timestamp when the credentials expire"
}  

However, for this to be truly useful, saml2aws would also need to cache successful logins (e.g. #492).

[shousper]

I ended up writing a wrapper that essentially looks like this:

#!/usr/bin/env bash

# Read AWS profile, role name and role ARN from parameters
profile=$1
role=$2
role_arn=$3
region=${4:-ap-southeast-2}

# Use cache credentials file
export AWS_SHARED_CREDENTIALS_FILE=~/.saml2aws-credential-cache

# Save credentials to cache profile
saml2aws login --skip-prompt --region "$region" --profile "${profile}-${role}" --role "$role_arn" >&2

# Read in credentials to reformat as JSON
eval "$(saml2aws script --profile "${profile}-${role}")"

# Render JSON required by AWS CLI
echo '{"Version": 1}' |
	jq --arg v "$AWS_ACCESS_KEY_ID" '.AccessKeyId = $v' |
	jq --arg v "$AWS_SECRET_ACCESS_KEY" '.SecretAccessKey = $v' |
	jq --arg v "$AWS_SESSION_TOKEN" '.SessionToken = $v' |
	jq --arg v "$AWS_CREDENTIAL_EXPIRATION" '.Expiration = $v' |
	jq -c '.'

You cannot have the static credentials in ~/.aws/credentials AND set credential_process so the use of an external file was required.

The ~/.aws/config was then populated with profiles like this:

[profile uat-blah]
region = ap-southeast-2
credential_process = saml2aws_credentials.sh uat-blah developer arn:aws:iam::123456789:role/developer

[danmx]

https://github.com/Versent/saml2aws/pull/595 addresses this issue

[iciclespider]

This has been implemented. Here is a sample ~/.aws/config profile entry:

[profile sample-profile]
credential_process = /usr/bin/saml2aws login --profile=sample-profile --role=arn:aws:iam::012345678912:role/sample-role --credential-process --credentials-file=/home/sample-user/.aws/saml-credentials --skip-prompt --quiet
region = us-east-1

Make sure that ~/.aws/credentials does not have a [sample-profile] entry.

[danmx]

This https://github.com/Versent/saml2aws/pull/602 allows you to resolve it

[laur89]

@iciclespider your method still requires explicit saml2aws login --profile=sample-profile --role=arn:.... execution, correct? Without it I get error aws credentials have expired error msg.

[iciclespider]

@iciclespider your method still requires explicit saml2aws login --profile=sample-profile --role=arn:.... execution, correct? Without it I get error aws credentials have expired error msg.

I am not sure exactly what you are asking. It does require an initial, manual run of saml2aws login to seed the password into the secret storage used. But after that, it runs automatically.

[sledigabel]

@laur89 I believe you're seeing this error because your ~/.aws/credentials file exists. the AWS SDK gives precedence to the credentials in the file over the credential process.

The way through this is to remove your ~/.aws/credentials file, and configure saml2aws to write its credentials in a different file using --credentials-file.

There's a paragraph in the README.md here: https://github.com/Versent/saml2aws#using-saml2aws-as-credential-process

basically, just add --credentials-file ~/.aws/saml2aws_credentials to your command, either when you configure saml2aws or in your aws config file.

[iciclespider]

@iciclespider your method still requires explicit saml2aws login --profile=sample-profile --role=arn:.... execution, correct? Without it I get error aws credentials have expired error msg.

Also, did you ensure this part of my comment was implemented?

Make sure that ~/.aws/credentials does not have a [sample-profile] entry.

[pseudo-su]

I ran into issues when trying to use this, because it seems like the CLI isn't always omitting log entries from stdout when using the --quiet flag.

~I wonder if having a --log-stderr flag might be a way to support interactivity during login when using --credential-process so (--skip-prompt wouldn't be required).~ I realised that saml2aws already logs to stderr by default, it would be nice if it wasn't discarded by the AWS CLI cli.

I opened an issue before finding this thread: https://github.com/Versent/saml2aws/issues/685

[lgp1985]

I keep receiving error building login details: failed to validate account: URL empty in idp account when using saml2aws.exe login --profile=*** --role=*** --credential-process --skip-prompt. I configured the profile with saml2aws.exe configure --idp-provider='AzureAD' --mfa='Auto' --profile='saml' --url='https://account.activedirectory.windowsazure.com' --username='***' --password=*** --app-id='***' --skip-prompt --role='***' --region='us-east-1' --idp-account=***

And I confirmed that the profile is working successfully with saml2aws.exe login --idp-account=***

[BEllis]

Assuming this ticket is in relation to the --credential-process flag, this ticket was raised on AWS-CLI project,

https://github.com/aws/aws-cli/issues/5109

Can --credential-process flag be changed to not save the credentials to the aws credentials file so that auto-refresh works correctly?

Work around for now is to specify something like --credentials-file=~/.aws/saml2aws.creds so creds are not stored in aws's credentials file.

[BEllis]

I've raised #895 to address aws/aws-cli#5109

[excavador]

Can --credential-process flag be changed to not save the credentials to the aws credentials file so that auto-refresh works correctly?

Work around for now is to specify something like --credentials-file=~/.aws/saml2aws.creds so creds are not stored in aws's credentials file.

--credentials-file=/dev/null works as well

[maximveksler]

Can --credential-process flag be changed to not save the credentials to the aws credentials file so that auto-refresh works correctly?

Work around for now is to specify something like --credentials-file=~/.aws/saml2aws.creds so creds are not stored in aws's credentials file.

--credentials-file=/dev/null works as well

This would work, however will require to do authentication for each cmd.

[maximveksler]

Assuming this ticket is in relation to the --credential-process flag, this ticket was raised on AWS-CLI project,

aws/aws-cli#5109

Can --credential-process flag be changed to not save the credentials to the aws credentials file so that auto-refresh works correctly?

Work around for now is to specify something like --credentials-file=~/.aws/saml2aws.creds so creds are not stored in aws's credentials file.

Please note that .aws/config is being read statically, so if you have --credentials-file=~/.aws/saml2aws.creds the path from your CWD will be created to '~'/'.aws'/'saml2aws.creds' which I believe is not the desired outcome. The best approach is to use an absolute path.

[mapkon]

Is this still required?