Add support for credential_process

[okelet]

As documented here https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html.

It should be easy; the command should return a JSON document with the already available variables.

[mmmorris1975]

Great suggestion. I'll see what I can do about implementing this. A few things I'll have to test, just to make sure I understand how this behaves:

• How is the name of the profile passed to the command specified in the config option?
• How does this behave when the profile requires MFA?
• How to make it easy to provide the credentials in JSON vs. the usual way of environment variable setting?

Shouldn't be too hard for me to try out those scenarios, but it could add a few days to the effort.

[okelet]

How is the name of the profile passed to the command specified in the config option? -> I think that in each profile, the credential_process command should have a parameter with the same profile name. i.e.:

[profile developer]
credential_process = aws-runas developer --credential-process-output

About the MFA, it should be tested how the question is asked when the command is called from a command using credential_process.

[mmmorris1975]

I was thinking along those same lines. I was sort of hoping that the profile name would be passed as an environment variable via the AWS SDK (I checked a few of the SDK sources, and that's not what happens), but this seems like the next best option.

[mmmorris1975]

I had the chance to mess around with this a bit, and it seems like there's a few caveats for the implementation. The change for the tool was pretty straight forward, but the config file stuff wasn't as straight forward as we would hope, nothing I would consider a show stopper, but things to be aware of.

It seems you can't have the credential_process attribute in the same profile you define the role. The source_profile config attribute takes precedence, and if it's found in the profile it will take that path, instead of using the setting for credential_process. That means this would only be useful when set in a distinct profile entry. So this won't use the credential_process:

[profile my-role]
source_profile = default
role_arn = arn:aws:iam:....
credential_process = /path/to/aws-runas my-profile

but this will (as long as the command you run references the my-role-cp profile):

[profile my-role]
source_profile = default
role_arn = arn:aws:iam:....

[profile my-role-cp]
credential_process = /path/to/aws-runas my-profile

Additionally, the handling of user input is variable across the AWS SDKs, which has implications for things like MFA. In the Python/boto SDK (which is used by the awscli), the command will just pause, but the prompt for MFA is not displayed because boto isn't piping stderr through (see boto/botocore#1348). That will cause some confusion, I'm sure, but if you know to expect the entry of an MFA code, you can just input the value and it works. The golang SDK does explicitly pass through stderr, so I would expect the MFA prompt to get displayed.

FYI, for my test cases, I just did a simple aws s3 ls --profile my-profile and aws s3 ls --profile my-profile-cp to see how things behave. If you have other use cases for me to consider, I'll be happy to try them out too.

[okelet]

I did some tests with another script that implements credential_process and it seems, as you say, that the implementation between Python and Go is different in the way they ask for they call the script. The most up to date is the Python library, but there are lot of programs (for me, mainly Terraform) that use the Go library, or perhaps and old version of the Go library, that don't work fine with this feature... I'll keep trying frequently, but for now, the standard use of aws-runas is the best solution I have found for multiple accounts, assume roles, and MFA.

[mmmorris1975]

Giving aws-runas the ability to provide the credentials as a json object compatible with the credential_process configuration still makes sense, and it's easy to implement in the tool. Folks will just need to be aware that the AWS SDK their tool uses may not have full support for this configuration, and my have some undesired/unexpected behavior. I've release this a version 1.5.1 of the tool, and will add this to the upcoming 2.0 release.