Using credential_process when multiple IAM roles available
#266
Comments
|
been struggling with that as well, this is due to AWS behaviour, when role_arn is specified AWS sdk will either look for source_profile or direct credentials for this profile in credentials file, it does not support credential_process on main account i use credential_process and am not specifing role_arn and for roles i create profiles with source_profile pointing to main profile. This will AssumeRole in chain and work fine except the assumed roles will hit AWS hard limit for 1hr sts token when assumerolechain, which will be ok as okta will extend when needed. BUT if some shit dont understand credential_process in assumedchain roles like terrafrom s3 backend bucket then you need aws-okta env to inject session token to env and that one expires within 1hr no option for change and have to remove it manually |
|
I found a relevant issue in the botocore library: boto/botocore#1329. It looks like there's still some work to be done in the AWS SDKs to make this work smoothly. |
I'm trying to get aws-okta configured as the
credential_processfor a particular profile. The Okta application configured at the SAML URL has multiple AWS IAM roles assigned, requiring the particular role to be chosen interactively. This interactive prompt causes aws-okta to hang indefinitely. I attempted to use therole_arnoption to specify the desired role, but this seems to cause the CLI to bypass thecredential_processoption entirely, throwing an error about partial credentials.Is it possible to configure profiles to assume specific roles directly without an interactive prompt?
The text was updated successfully, but these errors were encountered: