Browser login and Credential process #236
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Has some relations to #142 but I dont handle the interactive flow for credential_process - instead assuming you use the non-interactive browser flow. |
when resolving aliases, some roles might be used that actually don't work right now, this change allows these to just show the account number
mcfedr
force-pushed
the
credential_process
branch
from
e344db7 to
b4a8915
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There are two features that join into each other:
Browser Login:
Open the users web browser, let him login there, and then we catch the SAML.
Its slightly annoying, because google will only send the SAML to a valid https server. To work around this, I have a server that can be hosted serverless-ly somewhere, and it will forward the SAML to http://127.0.0.1:8000, where the python client is waiting for it.
Credential Process:
AWS cli supports an config,
credential_process, that means it can trigger a process to get the credentials for a profile. These changes allow aws-google-auth to be this process. Now everything is magic.There are a couple of changes required for this - basically aws cli wont call the process if there are any keys in credentials file - even if its expired, but it also doesn't have its own credentials cache, so basically we write the creds to the credentials file under a different name and use this as a cache. I keep it in the credentials file so that the security properties as the same as normal.