Giters

ruimarinho / gsts

Obtain and store AWS STS credentials to interact with Amazon services by authenticating via G Suite SAML.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Allow for usage of aws config file for google config like aws-google-auth does

nickphbrown opened this issue · comments

commented

Using the aws config file for the google config helps with managing many profiles that assume a different role each.

Rather than having to remember the role arns for different profiles and pass them to the gsts command it would be handy for gsts to look in the aws config based on the aws-profile that I pass it.

See an example of a config item used for aws-google-auth below along with a link to the part in the code where the file is read and config is set

[profile {profile_name}]
region = {region}
google_config.ask_role = False
google_config.keyring = False
google_config.duration = 3600
google_config.google_idp_id = {idp_id}
google_config.google_sp_id = {sp_id}
google_config.u2f_disabled = False
google_config.google_username = {user_name}
google_config.bg_response = None
google_config.role_arn = arn:aws:iam::{account_id}:role/{role_name}

https://github.com/cevoaustralia/aws-google-auth/blob/19a48a54fa69e5874764b9764da3f6bac6312777/aws_google_auth/configuration.py#L163

commented

I'm happy to attempt a PR for this btw, as long as I get the OK that there's nothing against the idea

commented

Hey @nickphbrown. Doesn't

gsts/credentials-manager.js

Lines 203 to 222 in bde055f

async saveCredentials(path, profile, { accessKeyId, roleArn, secretAccessKey, sessionExpiration, sessionToken }) {
// The config file may have other profiles configured, so parse existing data instead of writing a new file instead.
let credentials = await this.loadCredentials(path);
if (!credentials) {
credentials = {};
}
credentials[profile] = {};
credentials[profile].aws_access_key_id = accessKeyId;
credentials[profile].aws_role_arn = roleArn;
credentials[profile].aws_secret_access_key = secretAccessKey;
credentials[profile].aws_session_expiration = sessionExpiration.toISOString();
credentials[profile].aws_session_token = sessionToken;
await mkdirP(dirname(path));
await fs.writeFile(path, ini.encode(credentials));
this.logger.debug('The credentials have been stored in "%s" under AWS profile "%s" with contents %o', path, profile, credentials);
}
serve that purpose already?

commented

@ruimarinho It doesn’t. The part you’ve quoted shows the credentials being saved to the aws credentials file.

What I’d like is to be able to run the command ‘gsts —aws-profile {profile-name}’ and it picks up the ‘aws-role-arn’, ‘sp-id’, ‘idp-id’ and ‘username’ from the aws config file.

That way I don’t need to use the aws ‘credential_process’ feature but can still easily get credentials for any profile without having to know any other information than the profile name

commented

Rui! Esta functionalidade está a tornar-se uma questão de orgulho nacional! Trabalho nos EUA e usavamos aws-google-auth, mas com os problemas que essa ferramenta teve esta semana e falta de manutenção, resolvemos mudara para gsts.

Eis a minha reacção:

image

mas depois:
image
image

Ok, brincadeiras à parte:

  1. Muito obrigado por esta ferramenta. Melhor que o aws-google-auth.
  2. A funcionalidade deste ticket seria muito bem vinda
commented

This feature will land on the next major via #82!