Browser login and Credential process #236
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There are two features that join into each other:
Browser Login:
Open the users web browser, let him login there, and then we catch the SAML.
Its slightly annoying, because google will only send the SAML to a valid https server. To work around this, I have a server that can be hosted serverless-ly somewhere, and it will forward the SAML to http://127.0.0.1:8000, where the python client is waiting for it.
Credential Process:
AWS cli supports an config,
credential_process
, that means it can trigger a process to get the credentials for a profile. These changes allow aws-google-auth to be this process. Now everything is magic.There are a couple of changes required for this - basically aws cli wont call the process if there are any keys in credentials file - even if its expired, but it also doesn't have its own credentials cache, so basically we write the creds to the credentials file under a different name and use this as a cache. I keep it in the credentials file so that the security properties as the same as normal.