Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

credential_process is ignored with generated SSO profiles #101

Closed
bweisshaar-benchling opened this issue Jul 10, 2023 · 2 comments
Closed

Comments

@bweisshaar-benchling
Copy link

bweisshaar-benchling commented Jul 10, 2023

Hello,

I ran into this accidentally today when mass-renaming profiles for readability. It doesn't appear that the AWS cli considers credential_process at all, which isn't necessarily a bad thing, but it's super confusing and leads me to wonder why it's there at all. Consider the following config:

sso_start_url = https://mystarturl.awsapps.com/start
sso_region = us-east-1
sso_account_name = My Account Name
sso_account_id = 0123456789
sso_role_name = CoolRoleName
region = us-east-1
credential_process = aws-sso-util credential-process --profile My-Account-Name.CoolRoleName
sso_auto_populated = true

When I try something like aws s3 ls --profile test it works fine without error, despite there being no profile of the name My-Account-Name.CoolRoleName.

If you manually were to run aws-sso-util credential-process --profile My-Account-Name.CoolRoleName it errors out with "no such profile".

This leads me to believe that it's entirely ignoring credential_process, which again doesn't seem to be hurting anything, just creating config clutter. (I've since started using --no-credential-process but am still curious)

@benkehoe
Copy link
Owner

You are correct that credential_process is lower in precedence than the sso_* config fields (see the code here). credential_process is there as a backstop for SDKs (and versions of the CLI) that predate Identity Center support. See for example aws/aws-cdk#5455 In those cases, the Identity Center config fields are ignored, but it will pick up the credential_process entry, which, when the profile name is the same (as it should be when autogenerated), that will pick up the Identity Center config in the profile and return credentials, allowing it to work.

You can disable this field in with --no-credential-process or with AWS_CONFIGURE_SSO_DISABLE_CREDENTIAL_PROCESS=true in the environment, docs for that are here.

At some undefined point in the future, when the number of extant tools not using a current SDK version has dwindled sufficiently, I'll change the default, but that'll be a major version rev.

@bweisshaar-benchling
Copy link
Author

Ahh, I should have guessed it was a sort of legacy thing. No worries! Sounds like similar might have to be done for sso_session as well. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants