🌱 Support for credential_process

[AlainODea]

Problem Statement

Issue #59 states:

This was talked about in the recent AWS CLI talk at re:Invent

By supporting returning a specific JSON object, as described here: http://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes okta-aws-cli-assume-role can integrate better with the aws-cli command.

See example here: https://github.com/awslabs/awsprocesscreds

/cc: @AlainODea @mraible @rdegges @joelfranusic-okta

Solution

• Add CredentialProcess entry-point

• Move logging/console interaction to STDERR (allow 2>/dev/null)

• Depends on 🐛 OKTA_AWS_ROLE_TO_ASSUME doesn't work #201 unless you only have one AWS role assigned in Okta

Resolves #59

[AlainODea]

@mmahadevan-okta are you up for code-reviewing this?

[mmahadevan-okta]

I would not be the right person to code review it. :( But perhaps @tom-smith-okta can help? Tom?

[tom-smith-okta]

Sure, @mmahadevan-okta @AlainODea, where would the CredentialProcess get called from? Or can you tell me what you mean by "Add CredentialProcess entry-point"? How does it get invoked?

[mmahadevan-okta]

From my cursory overview, it LGTM. :)

[AlainODea]

CredentialProcess would be run from the command-line. I suppose it’s probably a good idea to create awscreds-okta bash script and Bat file or something similar to make this easier to consume.

[tom-smith-okta]

@AlainODea I'm sure your code is greta. The nice thing about the credential_process keyword is that it allows you to keep the "regular" aws commands and profile system in place. So I can set up my ~/.aws/config file with an entry like:

[profile okta01]
credential_process = okta-aws-cli-1.0.3.jar -param1 xyz -param2 123

and then I can invoke this profile by using
aws s3 ls --profile okta01
I just wasn't sure if your setup would allow this kind of invocation.

[AlainODea]

@tom-smith-okta you are right. The more people use this, the more I realize overriding the aws command was a bad idea. I’m going to remove that from the installer in an upcoming PR.

[AlainODea]

java -jar okta-aws-cli.jar com.okta.tools.CredentialProcess would run this entry point. I’m also realizing that I should support command-line options for all the env and config file options to make this kind of use really practical.

[AlainODea]

@tom-smith-okta are you okay with me merging this and following up with the installer fix. Is there anything essential I should do before merging it?

[tom-smith-okta]

Absolutely OK with that

…

________________________________ From: AlainODea <[email protected]> Sent: Monday, September 24, 2018 7:16 AM To: oktadeveloper/okta-aws-cli-assume-role Cc: Tom Smith; Mention Subject: Re: [oktadeveloper/okta-aws-cli-assume-role] 🌱 Support for credential_process (#203) @tom-smith-okta<https://github.com/tom-smith-okta> are you okay with me merging this and following up with the installer fix. Is there anything essential I should do before merging it? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#203 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ATnFNgZtPv_ohpKW1L7rpPA259XqxI2Fks5ueM0kgaJpZM4WknVC>.