Skip to content

Support Loading AWS Credentials from Config Profiles #6889

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mbamber opened this issue Jul 25, 2024 · 6 comments
Open

Support Loading AWS Credentials from Config Profiles #6889

mbamber opened this issue Jul 25, 2024 · 6 comments
Labels
feature-request help wanted

Comments

@mbamber
Copy link
Contributor

mbamber commented Jul 25, 2024

What is the underlying problem you're trying to solve?

When working with OPA I need to supply aws credentials to download a bundle. Today I do this by providing static environment credentials, but these expire regularly and need to be refreshed.

I can currently generate credentials for aws via the ~/.aws/config file using a named profile (e.g. aws sts get-caller-identity --profile my-profile) which is helpful when working with multiple accounts/roles which have different levels of permissions and all expire quickly (within the hour).

I have seen #2786 but this only supports credentials sourced from the ~/.aws/credentials file, not the ~/.aws/config file.

Describe the ideal solution

I would like to be able to supply a profile, similar to #2786, which will source credentials from my ~/.aws/config profiles, instead of my ~/.aws/credentials profiles.
@ashutosh-narkar
Copy link
Member

Seems like a good addition to the existing ways to fetch AWS creds. Feel free to contribute if you'd like.

@yatesliang
Copy link

I would like to try it.
Before starting I want to make sure that what you need is:
There is a provider that reads and uses the specified profile from a config file you provided (for example ~/.aws/config) to call
get-caller-identity and assume-role to generate a short-term credential.

@mbamber
Copy link
Contributor Author

mbamber commented Aug 16, 2024

I don't think we should need to call assume-role here - the AWS SDKs support loading credentials from this file directly - we would just need to essentially copy their implementation

@stale Stale
Copy link

stale bot commented Sep 15, 2024

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.

@stale stale bot added the inactive label Sep 15, 2024
@efiShtain
Copy link

@mbamber
I opened this PR to support SSO credentials (from config file)
#7527

it takes a profile and generate the credentials, but it assumes so
will that help your case ?

@stale stale bot removed the inactive label Apr 22, 2025
@mbamber
Copy link
Contributor Author

mbamber commented Apr 22, 2025

@efiShtain thanks for this! I'm unable to test right now, but I've looked through the pr and it looks great!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ashutosh-narkar @efiShtain @mbamber @yatesliang