cloudposse
Support for AWS `credential_process` as an identity
Describe the Feature
Lovin' the look of the atmos auth shell feature.
But at our organization, we source our temporary AWS credentials from an external process.
We make heavy use of the credential_process property in AWS' shared config file.
Expected Behavior
I expected that en external process could be specified as a source of temporary AWS credentials.
Use Case
Mostly what was mentioned here: https://atmos.tools/blog/introducing-atmos-auth-shell/#the-problem
Describe Ideal Solution
Add an aws/process kind for identity configuration in auth.identities.
Something like:
auth:
identities:
staging:
kind: aws/process
credentials:
credential_process: '{{getenv "HOME"}}/.local/bin/external-process staging'
region: eu-west-1
Alternatives Considered
No response
Additional Context
No response
Oh interesting, I was thinking you wanted to use atmos auth it self as a credential helper in the AWS configs. This is slightly different though. Having atmos call the external process to get credentials for a provider. We can consider that. What does your external-process command return? Are you using for example the Okta CLI?
I do want to use atmos auth as the credential / identity helper. But I guess it would be more like the AWS User (Break Glass) identity as the credential_process "method" is part of the AWS Tools and SDK standard credential providers the same way that access keys or role assuming are.
E.g. you can have a ~/.aws/config with an entry like:
[profile staging]
credential_process = /home/myuser/.local/bin/external-process staging
region = eu-west-1
The external process returns the credentials with the syntax:
{
"Version": 1,
"AccessKeyId": "an AWS access key",
"SecretAccessKey": "your AWS secret access key",
"SessionToken": "the AWS session token for temporary credentials",
"Expiration": "RFC3339 timestamp for when the credentials expire"
}
@tlgDJPorv can you review this PRD and see if that meets your requirements:
- #1795