Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssh forward credentials to remote hosts #915

Closed
synfinatic opened this issue Jun 26, 2024 · 1 comment · Fixed by #919
Closed

ssh forward credentials to remote hosts #915

synfinatic opened this issue Jun 26, 2024 · 1 comment · Fixed by #919
Labels
enhancement New feature or request

Comments

@synfinatic
Copy link
Owner

Is your feature request related to a problem? Please describe.

Imagine a user using ssh to a remote host and wanting to use AWS. Right now, they have to configure aws-sso on each of these hosts and also authenticate on each host.

Describe the solution you'd like

Ideally this should be easy to use... maybe some other kind of credential_process command? Or perhaps via the AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable which uses ssh?

Not sure if this is just documentation or tooling at this point. The problem with the container URL trick is you need to "load" the credentials before using and that is a bit annoying. Need to consider the security implications of what is going on.
@synfinatic synfinatic added the enhancement New feature or request label Jun 26, 2024
@synfinatic synfinatic changed the title ssh forward auth tokens ssh forward credentials to remote hosts Jun 26, 2024
@synfinatic
Copy link
Owner Author

synfinatic commented Jun 26, 2024
edited
Loading

One interesting/questionable option is to use the ECS server feature, but the slots should be well defined (profile name) and so a request to a slot could succeed, even if the slot was not previously "loaded". In a perfect world, users should be prompted before we ask AWS for the creds? The ecs server could even run the open command to get the browser to do SSO.

it's worth noting that named profiles in ~/.aws/config can point to the ECS container via credential_source = EcsContainer and then setting the necessary ENV var. But there does not seem to be any way to specify the URL in the config file! Hence using the credential_process is probably best?

synfinatic added a commit that referenced this issue Jun 27, 2024
@synfinatic
Improve bearer token support
61145d5 
- Configure the bearer token in the SecureStore
- Document using ssh with aws-sso and ECS Server
- Bump to v1.17.0

Fixes: #915
@synfinatic synfinatic mentioned this issue Jun 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve bearer token support synfinatic/aws-sso-cli
1 participant
@synfinatic