From 08035b93069c0ca518b13d1ef905e08b95bc1269 Mon Sep 17 00:00:00 2001 From: Ben Ellis Date: Thu, 13 Oct 2022 17:56:28 +0100 Subject: [PATCH] [895] --credential-process now implicitly sets quiet and skip-prompt and will no longer save to ~/.aws/credentials --- README.md | 13 ++++++++++--- cmd/saml2aws/commands/login.go | 26 ++++++++++++++++---------- cmd/saml2aws/main.go | 2 +- 3 files changed, 27 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 672b3750b..263c8b2c8 100644 --- a/README.md +++ b/README.md @@ -714,15 +714,22 @@ DUMP_CONTENT=true saml2aws login --verbose [Credential Process](https://github.com/awslabs/awsprocesscreds) is a convenient way of interfacing credential providers with the AWS Cli. -You can use `saml2aws` as a credential provider by simply configuring it and then adding a profile to the AWS configuration. `saml2aws` has a flag `--credential-process` generating an output with the right JSON format, as well as a flag `--quiet` that will block the logging from being displayed. -The AWS credential file (typically ~/.aws/credentials) has precedence over the credential_process provider. That means that if credentials are present in the file, the credential process will not trigger. To counter that you can override the aws credential location of `saml2aws` to another file using `--credential-file` or specifying it during `configure`. +You can use `saml2aws` as a credential provider by simply configuring it and then adding a profile to the AWS configuration. `saml2aws` has a flag `--credential-process` generating an output with the right JSON format. + +The AWS credential file (typically ~/.aws/credentials) has precedence over the credential_process provider. That means that if credentials are present in the file, the credential process will not trigger. An example of the aws configuration (`~/.aws/config`): ``` [profile mybucket] region = us-west-1 -credential_process = saml2aws login --skip-prompt --quiet --credential-process --role --profile mybucket +credential_process = saml2aws login --credential-process --role --profile mybucket +``` + +You can add this manually or via the awscli, i.e. + +``` +aws configure set credential_process "saml2aws login --credential-process --role --profile mybucket" ``` When using the aws cli with the `mybucket` profile, the authentication process will be run and the aws will then be executed based on the returned credentials. diff --git a/cmd/saml2aws/commands/login.go b/cmd/saml2aws/commands/login.go index 86fe3ffd0..62aab144a 100644 --- a/cmd/saml2aws/commands/login.go +++ b/cmd/saml2aws/commands/login.go @@ -146,8 +146,22 @@ func Login(loginFlags *flags.LoginExecFlags) error { if err != nil { return err } + } else { + err = saveCredentials(awsCreds, sharedCreds) + if err != nil { + return err + } + + log.Println("Logged in as:", awsCreds.PrincipalARN) + log.Println("") + log.Println("Your new access key pair has been stored in the AWS configuration.") + log.Printf("Note that it will expire at %v", awsCreds.Expires) + if sharedCreds.Profile != "default" { + log.Println("To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile", sharedCreds.Profile, "ec2 describe-instances).") + } } - return saveCredentials(awsCreds, sharedCreds) + + return nil } func buildIdpAccount(loginFlags *flags.LoginExecFlags) (*cfg.IDPAccount, error) { @@ -220,7 +234,7 @@ func resolveLoginDetails(account *cfg.IDPAccount, loginFlags *flags.LoginExecFla // log.Printf("loginDetails %+v", loginDetails) // if skip prompt was passed just pass back the flag values - if loginFlags.CommonFlags.SkipPrompt { + if loginFlags.CommonFlags.SkipPrompt || loginFlags.CredentialProcess { return loginDetails, nil } @@ -348,14 +362,6 @@ func saveCredentials(awsCreds *awsconfig.AWSCredentials, sharedCreds *awsconfig. return errors.Wrap(err, "Error saving credentials.") } - log.Println("Logged in as:", awsCreds.PrincipalARN) - log.Println("") - log.Println("Your new access key pair has been stored in the AWS configuration.") - log.Printf("Note that it will expire at %v", awsCreds.Expires) - if sharedCreds.Profile != "default" { - log.Println("To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile", sharedCreds.Profile, "ec2 describe-instances).") - } - return nil } diff --git a/cmd/saml2aws/main.go b/cmd/saml2aws/main.go index d6ee181e3..a0c405f47 100644 --- a/cmd/saml2aws/main.go +++ b/cmd/saml2aws/main.go @@ -169,7 +169,7 @@ func main() { errtpl = "%+v\n" } - if *quiet { + if *quiet || (command == cmdLogin.FullCommand() && loginFlags.CredentialProcess) { log.SetOutput(ioutil.Discard) logrus.SetOutput(ioutil.Discard) }