Preferred Usage Patterns -- Role Chaining

[rpattcorner]

aws-adfs offers some serious advantages over our current bash scripting for AD-based credentials. But for it to be useful in the use cases I have, I'll need to extend it ... either from the outside (in a script wrapper) or by forking and extending (obviously harder!). How have people extended it up to now architecturally?

The main issue and use case is role chaining. There is a series of accounts that users access by:

• Authenticating with AD (scripted) which accesses a neutral role with only privileges to assume other roles in other accounts
• Chaining to target roles in the target accounts using the initial AD role assume credentials

This architecture is quite common with the advent of AWS Organizations and account-per-project architectures. So I wonder if anyone solved this chaining scenario using aws-adfs?

If not:

• I see current code can write the temporary creds to the usual environment variables for postprocessing via --printenv. I assume that's the way to move forward in a wrapper script?
• Is there an obvious point in code to internally extend the functionality and have aws-adfs do the chaining? If so, is there an obvious place to put the secondary configuration, e.g. all role arns the initial role can chain to
• Is there an existing mode where current code can be addressed as a python library from a custom python wrapper?
• Other thoughts?

Then there's time limits, especially with role chaining. I see from your example that aws-adfs can be placed (manually?) in the ~/.aws/config like this:

[profile example-role-ue1]
credential_process=aws-adfs login --region=us-east-1 --role-arn=arn:aws:iam::1234567891234:role/example-role --adfs-host=adfs.example.com --stdout

but it's not clear from the AWS doc how that command is activated. Is this credential_process something that is somehow automatically run as temporary creds expire? How is that line processed/run/made effective?

If we were able to usably extend to chained roles, credential_process might solve the problem of long-running jobs dying after the statutory one hour lifetime on chained creds.

Anyway, thoughts welcome! Thanks for a great capability!

[pdecat]

Hi @rpattcorner,

In our use case, role chaining is accomplished using native AWS CLI features, e.g.:

[profile base-adfs-profile]
credential_process=aws-adfs login --region=us-east-1 --role-arn=arn:aws:iam::1234567891234:role/example-role --adfs-host=adfs.example.com --stdout

[profile chained-profile]
role_arn = arn:aws:iam::2345678912345:role/my-role
source_profile = base-adfs-profile

Regarding credential_process, it is the responsibility of the invoked command to cache credentials if desired:

Note: The AWS CLI does not cache external process credentials the way it does assume-role credentials. If caching is required, you must implement it in the external process.

See https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

[rpattcorner]

Many thanks @pdecat . That's really helpful!