Add changelog and docs for proccess provider

aws · Nov 21, 2017 · 52270dc · 52270dc
1 parent ea5bf09
commit 52270dc
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 0 deletions.
diff --git a/.changes/next-release/feature-Credentials-60840.json b/.changes/next-release/feature-Credentials-60840.json
@@ -0,0 +1,5 @@
+{
+  "description": "Adds support for the process credential provider, allowing users to specify a process to call to get credentials.",
+  "type": "feature",
+  "category": "Credentials"
+}
diff --git a/awscli/topics/config-vars.rst b/awscli/topics/config-vars.rst
@@ -264,6 +264,59 @@ the source credentials for the assume role call::
   credential_source=Ec2InstanceMetadata
 
 
+Sourcing Credentials From External Processes
+--------------------------------------------
+
+.. warning::
+
+    The following describes a method of sourcing credentials from an external
+    process. This can be VERY DANGEROUS, so proceed with caution. Other
+    credential providers should be preferred if at all possible. If using
+    this option, you should make sure that the config file is as locked down
+    as possible using security best practices for your operating system.
+
+If you have a method of sourcing credentials that isn't built in to the AWS
+CLI, you can integrate it by using ``credential_process`` in the config file.
+The AWS CLI will call that command exactly as given and then read json data
+from stdout. The process must write credentials to stdout in the following
+format::
+
+    {
+      "Version": 1,
+      "AccessKeyId": "",
+      "SecretAccessKey": "",
+      "SessionToken": "",
+      "Expiration": ""
+    }
+
+The ``Version`` key must be set to ``1``. This value may be bumped over time
+as the payload structure evolves.
+
+The ``Expiration`` key is an ISO8601 formatted timestamp. If the ``Expiration``
+key is not returned in stdout, the credentials are long term credentials that
+do not refresh. Otherwise the credentials are considered refreshable
+credentials and will be refreshed automatically. NOTE: Unlike with assume role
+credentials, the AWS CLI will NOT cache process credentials. If caching is
+needed, it must be implemented in the external process.
+
+The process can return a non-zero RC to indicate that an error occurred while
+retrieving credentials.
+
+Some process providers may need additional information in order to retrieve the
+appropriate credentials. This can be done via command line arguments. NOTE:
+command line options may be visible to process running on the same machine.
+
+Example configuration::
+
+    [profile dev]
+    credential_process = /opt/bin/awscreds-custom
+
+Example configuration with parameters::
+
+    [profile dev]
+    credential_process = /opt/bin/awscreds-custom --username monty
+
+
 Service Specific Configuration
 ==============================