aws-lite icon indicating copy to clipboard operation
aws-lite copied to clipboard

Published 20 hours ago verified publisher icon architect

[RFC] Add support for AWS Standard Credential Provider Chain

Open AdamTylerLynch opened this issue 1 year ago • 3 comments

Recommend implementing the standard credential provider chain as per AWS SDK standards. The providers have an order of precedence, and support refresh tokens for federation, operating in containers, and EC2 assume role.

Adding these would provide consistent experiences across runtime environment, and provide the ability to leverage AWS-lite for specific parts of an application (strangler pattern) without having to change/amend the application’s credential provider.

https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html

AdamTylerLynch avatar Dec 14 '23 02:12 AdamTylerLynch

Stoked for this issue! General thoughts:

  • Where feasible and ergonomic for devs, aws-lite aims to adopt the conventions set by the AWS SDK
  • As of today, I believe we have support for two steps in the chain: access keys (of course) and process credential provider
  • I think it probably makes sense to eventually support any steps in the credential provider chain that are relevant to the aws-lite use case
  • Within this context, we may generally break with existing conventions anywhere that has a meaningful impact on initialization or per-request performance; such cases, if supported, would likely be explicitly opt-in

Does AWS have any information / telemetry about the frequency of usage in the provider chain? What steps would be the priority?

Finally: PRs welcome! :)

ryanblock avatar Dec 14 '23 04:12 ryanblock

Bump @AdamTylerLynch!

ryanblock avatar Dec 18 '23 23:12 ryanblock

Back in the day I created https://github.com/mhart/awscred – but I imagine there are more credential sources these days

mhart avatar Feb 12 '24 08:02 mhart

aws-lite now supports the following credential sources, in this order:

  • Params
  • Env vars
  • SSO (following aws sso login [options])
  • Configuration files (~/.aws/[credentials|config], etc.)
  • External process (credential_process = /run/this/for/creds)
  • IMDSv2, supporting container (ECS), then instance (EC2) metadata

Notes:

  • IMDS v2 is the current standard, and v1 is no longer available for newly provisioned resources; as such we do not currently support v1. If anyone needs it, I am happy to review a PR that adds that functionality!
  • Web identity token files (aka OIDC to STS creds) are not (yet) supported; for most folks the other credential options are likely better. But again, if it's needed, I am happy to discuss and review a PR that adds this functionality.

ryanblock avatar Jul 23 '24 03:07 ryanblock