erik
March 24, 2023, 9:56pm
2
Hello,
Currently this is not supported,
opened 10:11PM - 04 Jan 23 UTC
Hi friends 👋
One of my favorite aspects of gimme-aws-creds is the ability to… authenticate to multiple accounts+roles+profiles at the same time. Writing a shell script with all of the IDP/role/profile combinations that I need is fine, but having this configurable natively seems like a feature that others might benefit from as well.
Thanks in advance!
Andrew
There is a current issue open which I believe will be part of release not too far in the future that will cache the access_token from the initial authentication. This way if you need to assume a different role you won’t need to go through the entire authentication process again assuming the token is still valid.
opened 07:47PM - 03 Mar 23 UTC
Each time a user runs a CLI command they are required to verify a device code vi… a the browser. This translates to a very poor experience when a user is assigned to multiple AWS accounts/multiple roles, due to the user having to verify a new device code each time they need to move accounts or roles.
Desired Behavior:
Cache/store the OIDC access token from the native application and reuse it each time a user needs to switch between AWS accounts/roles. Potentially this could be achieved via:
1. After an access token has been issued, from the first okta-aws-cli command, cache/store the access token.
2. Each subsequent command, check to see if a token is available to use.
- Verify the access token is still valid via the exp date on the JWT.
- if token is valid, continue without prompting user to verify user code in the browser.
3. If the token is invalid, prompt user to verify user code to retrieve a new device token via the browser.
Also, I noticed that the expiration time of an access token is set to 300s even though in my access policy I have specified a longer lifetime. Not sure where the 300 is coming from.
Thank You,
1 Like