synfinatic
generate `~/.aws/config` for ecs server endpoint
Like setup profiles, but use the ECS server endpoint to fetch the creds. This way users can just do export AWS_PROFILE=xxx on a remote host and get access to different roles without using the full url endpoint.
Looks like the AWS SDK doesn't support multiple profiles with the Ecs endpoint (only the Ec2InstanceMetadata is documented which I assume is just for EC2???). Anyways, support for this seems likely to require using the credential_process option. Since the SDK doesn't support caching of creds via credential_process, we would need to do so in a local process to avoid constantly going over the network which would add too much latency.
Not sure this is actually a good idea?
If we require using the credential process (which is necessary) and we want to cache credentials, then we need one of:
- A secure store to save the creds
- A service to store the creds in memory (but need to prevent others on the same system from talking to it)
- Just write the unencrypted creds to disk like the stock aws tooling
None of these options really seem that great? Probably the best option is an ssh-agent like solution which would use https://pkg.go.dev/gopkg.in/sevlyar/go-daemon.v0 or similar, which seems a bit of a hack since Go doesn't safely support fork() to run in background.