Credentials Process interface

[Rukenshia]

It would be better not to store credentials in the ~/.aws/credentials file when refreshing credentials with saml2aws-auto

AWS Documentation.

Unsolved Issues

It looks like you cannot prompt the user for any input, as only the credentials are supposed to end up in stdout. Saml2aws-auto requires MFA, so we need to find a way on asking for the MFA token.

Simple Implementation

• A command is needed to refresh a single account (for example saml2aws-auto refresh groupname accountname)
  • Consider only saml2aws-auto refresh accountname as there generally might be overlap in accounts for groups, but that might need more refactoring in how accounts and groups are currently stored
• A flag is needed to output data as json, with the format required by the aws cli:

{
  "Version": 1,
  "AccessKeyId": "an AWS access key",
  "SecretAccessKey": "your AWS secret access key",
  "SessionToken": "the AWS session token for temporary credentials", 
  "Expiration": "ISO8601 timestamp when the credentials expire"
}  

A configured profile could then use a credentials process like saml2aws-auto refresh groupname accountname --force --credential-process (or --output json).

Caching

The above implementation would not allow caching and might be more annoying to use. To facilitate caching, we could encrypt a new credentials file using the password (as it is stored in the OS-native keychain), and then decrypt it when running the refresh command first. It might also be helpful to have a separate command for this credential process interface.

Issues with this approach

The main issue I see with this is handling password resets (saml2aws-auto configure), but in that case we could fall back to refreshing anyway if we cannot decrypt the file.

Alternative Approaches

• In addition to the users password, a per machine encryption key could be stored in the OS-native keychain