Comments (2)
shwethaumashanker
commented on June 12, 2024
1
Eric Miller
Slack link
Hello, I have a UX note/question for assumed roles. Essentially, I have two profiles.
SSO profile. This assumes by IdentityCenter role.
Assumed role. This uses profile 1 to assume another role.
Role #1 has credential_process = granted .... Role #2 does not. This has the effect that, when running assume profile-2, all of the env vars (e.g. session token) are exported.
This has the effect that, when using assume , the credentials expire after 1h due to role chaining timeouts. I've been using export AWS_PROFILE= exclusively, but I'd rather if the folks I support could just use assume and get the "easy" result.Two thoughts on how this could be implemented.
One, we could implement a recursive function to implement this by default. Check the role assumption chain to see if anything uses credential_process.isCredentialProcess(profile) -> bool: if profile.sourceProfile is not None: return isCredentialProcess(getProfile(sourceProfile)) return profile.credential_process is not NoneTwo, we could implement a flag in the profile itself, e.g. granted_default_no_export = true that would have the same effect as credential_process on what variables are exported.
from granted.
sosheskaz
commented on June 12, 2024
The recursive function should probably also keep track of the set of profile names in the stack, in order to check for a loop.
from granted.
Related Issues (20)
- Support populating required variable with fixed value
- Deleting auto created chrome profile causes assume -c to stop working HOT 1
- Panic interface {} is nil, not string
- Security Vulnerability - Lateral Movement HOT 4
- AWS command hanging after assume when running on WSL HOT 1
- Feature request: Introducing “sudo” functionality into Granted HOT 1
- Update documentation - Granted does not work with Session Manager Plugin out of the box
- Assumed Role - Randomized UserId gntd-<random-suffix>
- Support refreshable AWS SSO sessions HOT 1
- Unclear warning with no way to quiet the error text. HOT 2
- Registry: MOTD
- Add the role that was retrieved to the error message when role assumption fails (AWS)
- Feature Request: Automatically populate [Default] with assumed profile HOT 7
- IAM Federated logins (console) should have easily attributable username in Cloudtrail list view.
- BaseProfile variable defined in config.yml for Profile Registries does not work
- Add option to clear the whole Granted cache
- [Feature request] Use a specific browser profile for authentication HOT 5
- File keychain backend should bail in credential process rather than hanging HOT 1
- Prefix-Duplicate-Profiles flag not respected
- Discrepancy in the behavior when '--save-to' and '--export' flags are used together
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from granted.