aws-sso-util icon indicating copy to clipboard operation
aws-sso-util copied to clipboard

Published 20 hours ago verified publisher icon benkehoe

Configurable SSO directories

Open nazarewk opened this issue 2 years ago • 8 comments

Allows configuring SSO directories explicitly in addition to more sane defaults (discovering them from AWS SDK credentials/config file locations).

nazarewk avatar Apr 21 '22 09:04 nazarewk

This would be very useful to me, as I usually keep AWS stuff in a directory scoped to a project using direnv and AWS SSO util kind of ignores that.

jaen avatar Apr 21 '22 11:04 jaen

I'm open to this, but I'd rather see it implemented on the AWS CLI (/botocore) instead, so that it's not specific to aws-sso-util. Could you open an issue/PR there first to see if they're open to it? A workaround like this in aws-sso-util would be the backup if they aren't.

benkehoe avatar Apr 30 '22 17:04 benkehoe

It also occurred to me that it may be dangerous to allow an environment variable to tell it where to put credentials. A bit like the redirect on an OAuth flow. I'll have to think more about that, seek some advice.

benkehoe avatar May 01 '22 01:05 benkehoe

It also occurred to me that it may be dangerous to allow an environment variable to tell it where to put credentials. A bit like the redirect on an OAuth flow. I'll have to think more about that, seek some advice.

While I agree it should be stored in secret-service (or something similar) instead, the AWS SDK already set the precedence on storing credentials in files pointed to by envvars.

I'm open to this, but I'd rather see it implemented on the AWS CLI (/botocore) instead, so that it's not specific to aws-sso-util. Could you open an issue/PR there first to see if they're open to it? A workaround like this in aws-sso-util would be the backup if they aren't.

I'll take a look at viability of implementing it in botocore when i have some free time (most likely not in the next ~3 weeks).

nazarewk avatar May 04 '22 13:05 nazarewk

The AWS SDK generally has the capability for you to tell it where to get credentials that you've already stored (e.g., with AWS_SHARED_CREDENTIALS_FILE), which is different from telling it where to put cached credentials. Does that make sense?

benkehoe avatar May 05 '22 12:05 benkehoe

You're right, AWS SDK does not store, only reads the credentials.

nazarewk avatar May 06 '22 11:05 nazarewk

FYI: looks like you already made a feature request to botocore https://github.com/boto/botocore/issues/1923 ?

nazarewk avatar May 06 '22 11:05 nazarewk

https://github.com/boto/botocore/issues/1923 is different. It's asking for the functionality of aws_sso_lib.get_boto3_session() to be native in boto3.

benkehoe avatar May 19 '22 23:05 benkehoe