Comments (3)
i am tempted to delegate to boto to load configs (since the premise of not depending on boto is not as relevant today)
from awscurl.
(Although botocore implements the credential handling, the relevant documentation describes boto3 and the AWS CLI. I'll keep referring to botocore.)
botocore has a long credential resolution chain to support all the use cases:
Boto3 will look in several locations when searching for credentials. The mechanism in which Boto3 looks for credentials is to search through a list of possible locations and stop as soon as it finds credentials. The order in which Boto3 searches for credentials is:
- Passing credentials as parameters in the boto.client() method
- Passing credentials as parameters when creating a Session object
- Environment variables
- Shared credential file (~/.aws/credentials)
- AWS config file (~/.aws/config)
- Assume Role provider
- Boto2 config file (/etc/boto.cfg and ~/.boto)
- Instance metadata service on an Amazon EC2 instance that has an IAM role configured.
(The AWS SSO credentials are not explicitly mentioned here. I'm not sure if it should be an extra step or if it's also handed by step 6. Either way it's not mentioned in that documentation!)
awscurl by itself implements steps 1 through 4. It handles step 4 more strictly than botocore because it doesn't check the AWS_SHARED_CREDENTIALS_FILE environment variable.
The botocore fallback introduced in #63 adds support for steps 5 through 8, but there are behavior differences because of how awscurl doesn't pass all the arguments to botocore. One of these differences is mentioned below.
It seems to me people are expecting that the authentication interface for awscurl be similar to that of the aws CLI.
So using botocore to load credentials makes sense to me because that's what the AWS CLI uses. It would surely solve the problems people report in #44.
as assume role just replaces env variables to the ones corresponding to the role have you considered just running aws sts assume-role ... before running awscurl?
It's okay as a workaround. I can use aws2-wrap to generate AWS SSO credentials in a format that awscurl understands. But it would be excellent to let botocore handle it automatically.
[Assume role provider] works with env variables [...] but doesn't work with CLI arg
When the profile is set as an environment variable, both awscurl and botocore can read it, so in the botocore fallback can handle step 6.
When the profile is passed as an argument to awscurl, it's not passed to the botocore fallback. (I tried to change that in my PR #116 but it clashed with the hard-coded "default" value (#112) so it got rolled back (#124)).
Another part of this is the user interface. Should the current CLI parsing need to change to depend on botocore?
I think the hard-coded "default" for profile name is unneccesary if botocore is used, and in fact may be problematic because it stops the credential resolution chain before it reaches step 8.
I would discourage people from passing the credentials as arguments because credential leakage is almost guaranteed by default settings (shell command history, CI logs, etc.). So I would be in favor of removing the option access_key, secret_key, security_token, and session_token.
What do you think?
from awscurl.
I've asked for clarification of the SSO credentials resolution in boto/botocore#2433.
from awscurl.
Related Issues (20)
- Support import as module??? HOT 4
- raise_for_request should not be used for non-successful response HOT 5
- migrate to src structure
- Credentials issue introduced in 0.27.0 when running on EC2 instance. HOT 7
- Request: Support for Container credentails HOT 2
- v0.28 build failure with Homebrew HOT 2
- How to escape AMP query parameter right? HOT 15
- cryptography-40.0.2 breaks aws cli HOT 2
- Dockerfile should include builder stage
- header 'x-amz-security-token' with None HOT 1
- Strings must be encoded before hashing HOT 8
- "botocore package could not be loaded"
- arm64 image support HOT 8
- awscurl generates an incorrect request signature when user-supplied hostname includes capital letters.
- latest docker images after v0.29 failing on AMD64 HOT 5
- Can you show an example of calling aws curl from using the docker container that returns an error code to the calling process please? HOT 1
- Provide an example for uploading a file to an S3 bucket
- Homebrew package does not install botocore
- [FEATURE] enhance awscurl support create/send multipart POST REST request (from file) HOT 6
- Fail to add filters in API Prometheus query via awscurl in python script HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from awscurl.