You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I ran into this accidentally today when mass-renaming profiles for readability. It doesn't appear that the AWS cli considers credential_process at all, which isn't necessarily a bad thing, but it's super confusing and leads me to wonder why it's there at all. Consider the following config:
sso_start_url = https://mystarturl.awsapps.com/start
sso_region = us-east-1
sso_account_name = My Account Name
sso_account_id = 0123456789
sso_role_name = CoolRoleName
region = us-east-1
credential_process = aws-sso-util credential-process --profile My-Account-Name.CoolRoleName
sso_auto_populated = true
When I try something like aws s3 ls --profile test it works fine without error, despite there being no profile of the name My-Account-Name.CoolRoleName.
If you manually were to run aws-sso-util credential-process --profile My-Account-Name.CoolRoleName it errors out with "no such profile".
This leads me to believe that it's entirely ignoring credential_process, which again doesn't seem to be hurting anything, just creating config clutter. (I've since started using --no-credential-process but am still curious)
The text was updated successfully, but these errors were encountered:
You are correct that credential_process is lower in precedence than the sso_* config fields (see the code here). credential_process is there as a backstop for SDKs (and versions of the CLI) that predate Identity Center support. See for example aws/aws-cdk#5455 In those cases, the Identity Center config fields are ignored, but it will pick up the credential_process entry, which, when the profile name is the same (as it should be when autogenerated), that will pick up the Identity Center config in the profile and return credentials, allowing it to work.
You can disable this field in with --no-credential-process or with AWS_CONFIGURE_SSO_DISABLE_CREDENTIAL_PROCESS=true in the environment, docs for that are here.
At some undefined point in the future, when the number of extant tools not using a current SDK version has dwindled sufficiently, I'll change the default, but that'll be a major version rev.
Hello,
I ran into this accidentally today when mass-renaming profiles for readability. It doesn't appear that the AWS cli considers credential_process at all, which isn't necessarily a bad thing, but it's super confusing and leads me to wonder why it's there at all. Consider the following config:
When I try something like
aws s3 ls --profile test
it works fine without error, despite there being no profile of the nameMy-Account-Name.CoolRoleName
.If you manually were to run
aws-sso-util credential-process --profile My-Account-Name.CoolRoleName
it errors out with "no such profile".This leads me to believe that it's entirely ignoring
credential_process
, which again doesn't seem to be hurting anything, just creating config clutter. (I've since started using --no-credential-process but am still curious)The text was updated successfully, but these errors were encountered: