Write IAM credentials to ~/.aws/credentials

[missedone]

Is your feature request related to a problem? Please describe.
I'd like to update the credentials of default profile in ~/.aws/credentials with cli aws-sso credentials -p <1111111111:AdminAccess> -f ~/.aws/credentials
because I need to run and debug the Java app in IntelliJ, it needs the AWS credentials to connect AWS services to make the app running. The Java AWS SDK load the default profile in ~/.aws/credentials, i don't want to modify the app code and configuration to support aws profile, it will widely impact the dev workflow in the whole dev team.

Describe the solution you'd like

• option1: i'd like to introduce a new arg of crdentials sub-command to allow the user to specify the target profile name in credentials file
  aws-sso credentials -p <1111111111:AdminAccess> -f ~/.aws/credentials --target_profile=default

it will update the credentials file with content

$ cat ~/.aws/credentials

[default]
# Expires: 2024-08-09T22:20:13-07:00
aws_access_key_id = ASIASA4VTLYRP*****
aws_secret_access_key = HpXlnMpD5EFI*****
aws_session_token = IQoJb3JpZ2luX2VjEFYaCXVzLXdlc3QtMiJIMEY*****

• option2: introduce a new arg aws-sso credentials -p <1111111111:AdminAccess> -f ~/.aws/credentials --update_default_profile=true|false

it will update the credentials file with both profiles:

$ cat ~/.aws/credentials

[default]
# Expires: 2024-08-09T22:20:13-07:00
aws_access_key_id = ASIASA4VTLYRP*****
aws_secret_access_key = HpXlnMpD5EFI*****
aws_session_token = IQoJb3JpZ2luX2VjEFYaCXVzLXdlc3QtMiJIMEY*****

[1111111111:AdminAccess]
# Expires: 2024-08-09T22:20:13-07:00
aws_access_key_id = ASIASA4VTLYRP*****
aws_secret_access_key = HpXlnMpD5EFI*****
aws_session_token = IQoJb3JpZ2luX2VjEFYaCXVzLXdlc3QtMiJIMEY*****

Describe alternatives you've considered
manually update the profile in ~/.aws/credentials after aws-sso credentials -p <1111111111:AdminAccess> -f ~/.aws/credentials

Additional context
Add any other context or screenshots about the feature request here.

[missedone]

@synfinatic, i can raise a PR if you agree with one of the options

[synfinatic]

This feature should not be necessary. You just need to set the AWS_PROFILE environment variable inside of IntelliJ and the AWS SDK will use the profile you specify. https://www.baeldung.com/intellij-idea-environment-variables

Alternatively, set the variable in your shell (export AWS_PROFILE=xxx) and then start IntelliJ (or any other editor) from the shell.

Generally speaking the writing of the IAM secrets to the ~/.aws/credentials file is an anti-pattern with aws-sso and I only introduced it for applications which aren't using the AWS SDK to talk to AWS and don't support other methods.

[missedone]

This feature should not be necessary. You just need to set the AWS_PROFILE environment variable inside of IntelliJ and the AWS SDK will use the profile you specify. https://www.baeldung.com/intellij-idea-environment-variables

I'd like to avoid using the environment variable AWS_PROFILE in IntelliJ because we have thousands of unit test codes that depend on the AWS SDK. When running them manually in the IDE, I'd prefer to not bother the developers to add the environment variable repeatedly; it could be very annoying and unproductive.

Alternatively, set the variable in your shell (export AWS_PROFILE=xxx) and then start IntelliJ (or any other editor) from the shell.

it could be a fair solution, but need to educate the developers to start intellij from shell and ask them to change the dev workflow

[synfinatic]

I don't use IntelliJ myself, but I believe it will save the variable across multiple sessions? Shouldn't have to keep setting it?

Alternatively, just define that test role with the profile name of default in the ~/.aws-sso/config.yaml and use the config-profiles command. That at least won't expose your credentials in clear text.

[missedone]

I don't use IntelliJ myself, but I believe it will save the variable across multiple sessions? Shouldn't have to keep setting it?

in intellij we can define a launch template where to hard-code the profile. however, we have to share the template across the team across multi git repos, also each team may use different profile.

[missedone]

Alternatively, just define that test role with the profile name of default in the ~/.aws-sso/config.yaml and use the config-profiles command. That at least won't expose your credentials in clear text.

right, we have to switch the profile somewhere, and I prefer to introduce as less change as possible to the dev workflow.
I'm good with doing it in shell, either with aws-sso profile, or aws profile, or i can have bash alias to do the quick switch, could have several options.

[synfinatic]

"switch the profile"? users are using multiple IAM Roles and you want to switch the global/per user default role between them?

I'm honestly a bit lost what your actual use case/requirements are. Generally speaking, changing the default role to point to different roles is not recommended as it's far too easy to accidentally run a command in the wrong AWS account/etc.

That said, you've closed this ticket so I'm gonna assume you've got what you need. Feel free to re-open if you'd like to continue the conversation.

[missedone]

hi @synfinatic

thanks for your comments and patience

in my org, we have multiple aws sub-accounts, people have multiple roles as well, though most of the time they only have one role, and in most cases, we just need to switch the profile (saying switch between the sub-accounts)

based on the conversation, I'm experimenting with the workflow:

1. aws-sso to list all profiles
2. aws-sso-profile <profile_name> to switch profile
3. aws-sso credentials -p <profile_name> -f ~/.aws/credentials && sed -i /s/<profile_name>/default ~/.aws/credentials to generate the static AKSK in the default profile
4. run intellij from anywhere, and run the code without injecting the AWS_PROFILE env var

If they want to switch profiles, they just need to repeat step 2,3. They don't need to do anything in IntelliJ; the new credentials will be used seamlessly by the code.

to be more convenient, i will create a shell alias to combine step 2 and 3, so the developers just need to hit one command on shell

[synfinatic]

Sure that works.

Does mean a few things:

1. Creds are stored in clear text on disk. You seem okay with that.
2. All processes for that user now will automatically use that IAM role for any other connection to AWS. This can have unexpected results for users who forget which role is currently "default" (Oh crap! I meant to XXXX in the other aws account!)

Personally, if I was going to do this, I would modify the ~/.aws/config file and use the process feature with the AWS SDK support for credential_process and just change the flag for the role when I want to switch roles for default. Not only would it not expose the IAM creds, it would mean that if your SSO session is longer than the IAM credentials expiration, the IAM creds will auto-refresh for a better developer experience:

[default]
credential_process = aws-sso process -u open --profile <profile name to assume>

[missedone]

@synfinatic , thanks for sharing the new idea with me, good to learn and i did some quick test:

1. it works with aws cli, it‘s a pretty neat approach, i love it
2. it doesn't work in IDE, because we have to use ProcessCredentialsProvider or ProfileProcessCredentialsProvider from java aws SDK explicitly, it's code-intrusiveness; we have to modify the app code to support load temporary credentials with ProcessCredentialsProvider, and the logic is for local dev only, while i'd prefer to avoid introducing env specific logic in the app code; besides, our projects rely on some opensource libs that do not or hard to custom the credentials loading logic.

that means to say, i'd stay with the workflow i mentioned #1020 (comment)

[synfinatic]

ugh, that's lame that the Java SDK is different from the python & Go SDK. I'd probably open a ticket with AWS and ask them to be more aligned.... obviously doesn't help you now. :-/

[synfinatic]

Anyways, I guess I need to do something to enable all those people using Java... I may hate Java personally, but it's not really viable to tell everyone to just rewrite their code in a better language :D

Anyways, need to think more about this. Probably will end up being something like:

aws-sso static-creds -p <profile to use> [-P <profile to write>]

So by default it will use the name of the profile for the [profile <name>] but optionally you can override it with the -P flag for people who really want to specify an override.

What I'm still not sure about is supporting [default], because IMHO that's a foot gun waiting to happen. Can I instead interest you in the idea of specifying AWS_PROFILE=intellij in IntelliJ and using that as your profile name instead? Or is that just not viable?

[missedone]

ugh, that's lame that the Java SDK is different from the python & Go SDK. I'd probably open a ticket with AWS and ask them to be more aligned.... obviously doesn't help you now. :-/

right, per the API doc and source code, credentials_process credentials is not in the default credentials provider chain: https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html

[missedone]

So by default it will use the name of the profile for the [profile <name>] but optionally you can override it with the -P flag for people who really want to specify an override.

ya, that will be great.

What I'm still not sure about is supporting [default], because IMHO that's a foot gun waiting to happen. Can I instead interest you in the idea of specifying AWS_PROFILE=intellij in IntelliJ and using that as your profile name instead? Or is that just not viable?

understood, but it's not viable in my org as it could be a big change to the dev workflow, while my original purpose of the feature request in this thread is to streamline it.

Thanks,

[synfinatic]

when you say "workflow", I'm imaging setting the AWS_PROFILE variable in IntelliJ once as a set it and forget it. I know for VSCode, you can even configure it in the git repo via the .vscode/launch.json file. Doesn't IntelliJ support setting an environment variable across sessions? Am I missing something?

[missedone]

Yes, IntelliJ supports the launch template and can persist the launch configuration in git. However, it's not viable in my organization since we have to share the settings across the teams and git repos. There would be significant communication and education efforts.

[synfinatic]

LOL. Sounds like we work at the same company. I get.