aws-adfs offers some serious advantages over our current bash scripting for AD-based credentials. But for it to be useful in the use cases I have, I'll need to extend it ... either from the outside (in a script wrapper) or by forking and extending (obviously harder!). How have people extended it up to now architecturally?
The main issue and use case is role chaining. There is a series of accounts that users access by:
- Authenticating with AD (scripted) which accesses a neutral role with only privileges to assume other roles in other accounts
- Chaining to target roles in the target accounts using the initial AD role assume credentials
This architecture is quite common with the advent of AWS Organizations and account-per-project architectures. So I wonder if anyone solved this chaining scenario using aws-adfs?
If not:
- I see current code can write the temporary creds to the usual environment variables for postprocessing via
--printenv. I assume that's the way to move forward in a wrapper script?
- Is there an obvious point in code to internally extend the functionality and have
aws-adfs do the chaining? If so, is there an obvious place to put the secondary configuration, e.g. all role arns the initial role can chain to
- Is there an existing mode where current code can be addressed as a python library from a custom python wrapper?
- Other thoughts?
Then there's time limits, especially with role chaining. I see from your example that aws-adfs can be placed (manually?) in the ~/.aws/config like this:
[profile example-role-ue1]
credential_process=aws-adfs login --region=us-east-1 --role-arn=arn:aws:iam::1234567891234:role/example-role --adfs-host=adfs.example.com --stdout
but it's not clear from the AWS doc how that command is activated. Is this credential_process something that is somehow automatically run as temporary creds expire? How is that line processed/run/made effective?
If we were able to usably extend to chained roles, credential_process might solve the problem of long-running jobs dying after the statutory one hour lifetime on chained creds.
Anyway, thoughts welcome! Thanks for a great capability!
aws-adfsoffers some serious advantages over our current bash scripting for AD-based credentials. But for it to be useful in the use cases I have, I'll need to extend it ... either from the outside (in a script wrapper) or by forking and extending (obviously harder!). How have people extended it up to now architecturally?The main issue and use case is role chaining. There is a series of accounts that users access by:
This architecture is quite common with the advent of AWS Organizations and account-per-project architectures. So I wonder if anyone solved this chaining scenario using
aws-adfs?If not:
--printenv. I assume that's the way to move forward in a wrapper script?aws-adfsdo the chaining? If so, is there an obvious place to put the secondary configuration, e.g. all role arns the initial role can chain toThen there's time limits, especially with role chaining. I see from your example that
aws-adfscan be placed (manually?) in the ~/.aws/config like this:but it's not clear from the AWS doc how that command is activated. Is this
credential_processsomething that is somehow automatically run as temporary creds expire? How is that line processed/run/made effective?If we were able to usably extend to chained roles,
credential_processmight solve the problem of long-running jobs dying after the statutory one hour lifetime on chained creds.Anyway, thoughts welcome! Thanks for a great capability!