aws-sso-cli icon indicating copy to clipboard operation
aws-sso-cli copied to clipboard

Published 20 hours ago verified publisher icon synfinatic

Support static API creds

Open synfinatic opened this issue 2 years ago • 2 comments

basically do what aws-vault does since people often have non-SSO roles they need to access.

So we need:

  1. Way to import the config/credentials file
  2. Way to manually add and delete new keys/roles
  3. Add & manage records to cache?
  4. Ideally get temporary tokens so if they are compromised you aren't very sad.
  5. Use creds to auto-discover Account level tags
  6. Need to be able to list roles
  7. Automate key rotation
  8. ~~MFA support~~

Why this feature?

  • Because orgs need to migrate to AWS SSO and this doesn't happen over night.
  • Some people access accounts across multiple orgs and SSO isn't viable in that case.
  • Others???

synfinatic avatar Jan 07 '22 05:01 synfinatic

when not using SSO, need to support MFA: https://github.com/99designs/aws-vault/blob/master/USAGE.md#using-credential_process

synfinatic avatar Jan 17 '22 18:01 synfinatic

UX:

Phase 0:

  • ~~Research MFA support?~~ TL;DR: Use for AssumeRole/GetSessionToken calls. (Not even sure this is necessary really???)
  • Need to think harder on UX and map it out. What are the workflows I wish to enable?

Phase 1:

  • list -- list static roles as well as SSO
  • static import -- import from config/credentials file.
  • Should work with exec, console and eval

Phase 2+:

  • static add -- add new static role creds
  • static del -- delete static role creds
  • write ~/.aws/config and generate profiles
  • Import metadata for Tags + a Type tag for static vs sso
    • Should include tags on our IAM user (iam:ListUserTags)
  • Automate key rotation
  • Support temporary session tokens (without MFA)
  • Custom tags support

synfinatic avatar Jan 22 '22 23:01 synfinatic