Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support returning AWS credentials in a format suitable for use with the credentials_provider format. #12768

Open
the-maldridge opened this issue Oct 7, 2021 · 0 comments
Open

Support returning AWS credentials in a format suitable for use with the credentials_provider format. #12768

the-maldridge opened this issue Oct 7, 2021 · 0 comments
Labels
auth/aws devex Developer Experience ecosystem enhancement secret/aws

Comments

@the-maldridge
Copy link

the-maldridge commented Oct 7, 2021
edited
Loading

Is your feature request related to a problem? Please describe.
The only supported way to have the AWS SDK reload configuration from disk across all language SDKs is to use an external "credential provider process". Since the most obvious way to do this is cat it would be most convenient to have Vault return data in a format suitable for consul-template/vault agents to just pass to the json serializer and spit out to disk.

Notably I don't think this is possible to work around today due to the requirement from AWS that the expiration timestamp be in ISO8601 format, for which no helper exists today to manipulate.

Describe the solution you'd like
I want to be able to pass a template like so:

{{ with secret "aws/creds/foo" format="credentials_process" }}{{ .Data | json}}{{end}}

This should result in the file being written according to this format: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html.

Describe alternatives you've considered
I tried assembling the json blob by hand but this doesn't work because there's no function for manipulating ISO8601 timestamps or converting between timestamp formats.

I also just tried writing the shared credentials file format in the hopes that the AWS SDK would be smart enough to reload the file when changed, but this is not the case across all language SDKs. For example the Java one does but the Go one doesn't.

Explain any additional use-cases
This would solve a whole class of problems with using applications that don't implement their own credential reloading. Why the AWS SDK doesn't implement reload is a mystery, but as long as it doesn't, hacking around it with the credentials_process is the most straightforward way.

Additional context
Its probably also possible to resolve this by returning the expiration of the credentials as an absolute time rather than an relative time, which would enable the manual assembly of the right structure.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth/aws devex Developer Experience ecosystem enhancement secret/aws
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@the-maldridge @hghaf099 @heatherezell