Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

using aws-runas as credential_process in aws config? #52

Closed
dlethin opened this issue May 15, 2020 · 2 comments
Closed

using aws-runas as credential_process in aws config? #52

dlethin opened this issue May 15, 2020 · 2 comments

Comments

@dlethin
Copy link

dlethin commented May 15, 2020
edited
Loading

Thanks again for sharing this utility. I had another question for you --

It seems with support in aws-runas to output credentials as json with the -O json option, most of the pieces are in place to register aws_runas as an external credential sources as documented here.

However, I'm unable to get this to work. If I have a config that looks like this:

[profile runas]
credential_process=aws-runas -O json -S "https://SUBDOMAIN.onelogin.com/trust/saml2/launch/APP_ID?token=XXXXXXXXXX==" -U "MY_EMAIL"
role_arn = arn:aws:iam::ACCOUNT_ID:role/MY_ROLE

Then I try to run a simple aws cli command to test this out:

$ AWS_PROFILE=runas aws sts get-caller-identity
Partial credentials found in assume-role, missing: source_profile or credential_source

If I remove the 'role_arn` config from the profile, I get this:

$ AWS_PROFILE=runas aws sts get-caller-identity
Error when retrieving credentials from custom-process: 2020/05/14 22:13:19 FATAL Error getting credentials: InvalidParameter: 2 validation error(s) found.
- minimum field size of 20, AssumeRoleWithSAMLInput.PrincipalArn.
- minimum field size of 20, AssumeRoleWithSAMLInput.RoleArn.

Maybe this would work if there was a way to pass the role arn as a command line argument to aws_runas rather than try to read it from the configuration of the profile being referenced?

Or is there another way to do this already today without any changes?

Thanks.
@mmmorris1975
Copy link
Owner

Hi Doug, sorry for taking a bit to get back to you. When this was originally proposed, I had found some caveats about how the configuration would need to be built. You can see #44 for the full details, but the specific bits can be found in this specific comment. Hopefully it will get you going!

@dlethin
Copy link
Author

dlethin commented May 16, 2020

Thanks for providing the link. I had thought to search through past issues before submitting this one and I'm scratching my head wondering how I missed the exact info I was looking for. The comments you referred me were the most informative description of the challenges with using credential_process with regards to different behaviors of the underlying SDK that I've come across. You've probably explained some behavior I'm seeing when I use aws-vault as a credential_process with python/boto based tools.

I will try your suggest out and close this issue. Thanks again. Cheers.

@dlethin dlethin closed this as completed May 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dlethin @mmmorris1975