[login] allow sourcing STS credentials from environment (closes #861) #864
Conversation
|
Hmm I wonder if That would also allow workflows such as $ aws-vault exec foo
foo $ aws s3 ls
foo $ aws-vault loginWhere aws-vault could use the environment to login from within an exec subshell. Any downsides to that approach? |
|
Good point, and it's a workflow I've needed multiple times. The only downside I see is that if you run |
|
Done in bfbbfda, let me know how that looks! |
|
@mtibben I've been using this feature locally for a few days, works great for me. Let me know if you require any changes! |
|
@mtibben Eager to get this merged as I'm using it every day and I'm sure it will be useful to other folks. :) Let me know any way I can help! |
christophetd
force-pushed
the
login-source-credentials-from-environment
branch
from
9d26b0e
to
d07990f
Compare
|
Thanks for the review, when's the next release planned for? |
|
Out now! I made one modification to the error message - hope this is OK? 67d1aea |
|
No strong opinion. Having this behavior in usage docs would have made it easier to discover, possibly? |
Sample usage:
Sample error:
Main use-case: Allow generating sign-in links when temporary credentials have been obtained from another way than aws-vault. There is third-party tooling doing it such as https://github.com/NetSPI/aws_consoler, but I feel like it's worth it to have it built in aws-vault.
Notes:
login --from-envwith only IAM credentials, it would a bit more complex (retrieve from environment, then use theGetFederationTokenprovider) for something that IMHO doesn't add value. If you have IAM credentials, they are long-lived by definition and they should be managed through aws-vault anyway