Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CICD or non-interactive use option #206

Open
2 tasks done
nick-barefoot-focusrite opened this issue Oct 4, 2024 · 1 comment
Open
2 tasks done

CICD or non-interactive use option #206

nick-barefoot-focusrite opened this issue Oct 4, 2024 · 1 comment

Comments

@nick-barefoot-focusrite
Copy link

nick-barefoot-focusrite commented Oct 4, 2024
edited
Loading

Feature Description

non-interactive mode, with auth for AWS provided externally (not only as a profile) via whatever form the caller likes

Similar to the request #138
We are looking to collect our json data during an automated pipeline which delivers AWS resources via IAC (terraform apply), via short-lived token based auth via OIDC/jwt trust for GitHub.

currently, the only non-interactive operation is by using the profile option, but that forces us to write the access creds to a profile on disk - they are already on the environment and we would prefer keeping them in memory as they already are, rather than adding code to explicitly write these to disk as a profile

Since the underlying AWS CLI already 'just works' with env vars as generated by aws-actions/configure-aws-credentials with no further work / files needed, we just need to be able to not be prompted for further input via the GUI and the rest will 'just work' for GitHub pipelines using OIDC

Use Case

GitHub pipelines using OIDC for short lived token based auth into AWS

Suggested Solution

roughly similar to the change delivered here but not forcing the credentials to be loaded from disk; let the caller pass them in a manner of their choosing, as long as that remains compatible with the AWS CLI which is consuming them

Alternatives Considered

workaround is that we explicitly write a profile to disk, not really appealing.

Additional Context

we're looking to drive the capture of an infra diagram as part of any CICD pipeline-driven IAC change, so would also love a REST api to publish the json file into, rather than the manual import or assume-role based approach (we would like to push a diagram change from our short-lived access pipelines, exactly if/when the infra does change, rather than grant long-lived access to an external tool)

Checklist

  • I have searched for similar feature requests.
  • I have included all necessary information.
@andries-miro
Copy link
Collaborator

Hey @nick-barefoot-focusrite! Thank you for opening this issue!

We had not considered this use case before, but we think this would definitely be a good addition to the script.

If you'd like to see it implemented sooner, feel free to open a PR. We'd be happy to have your contribution to this project if you're interested. Otherwise, we will pick this up as soon as there is capacity on our side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nick-barefoot-focusrite @andries-miro