Hey folks! I'm working in a setup where we access our AWS account through Active Directory Federation Services (ADFS), which means we don't have permanent access keys for AWS. This has made using AWS CodeCommit pretty tricky for me. I typically use the `aws sts assume-role-with-saml` command to get temporary credentials, but they expire after an hour. So, I end up having to manually do a few steps every hour:
1. Get the SAML response.
2. Run the assume-role-with-saml command.
3. Set the credentials as environment variables.
It can get really tedious. I tried using `saml2aws` to make things easier, but our login requires a client certificate for authentication, and it looks like saml2aws doesn't support that. Has anyone been in a similar situation? Any tools or methods to manage temporary credentials more efficiently for AWS CodeCommit while using federated ADFS would be super helpful!
3 Answers
Creating a credential_process shell script might take you around 30 minutes. You can cache the credentials in a file (like `~/.cache/adfs/profile_name.json`), check if they're still valid when executing, and if they aren't, call `aws sts assume-role-with-saml` to refresh them. `jq` could really help you with generating JSON in your script!
Have you thought about switching from CodeCommit? It's been marked as EOL, so it might be worthwhile to check out alternatives like GitHub or GitLab. By the way, are you using AWS SSO on the CLI? If you have roles set up, you could configure them in your settings, eliminating the need to use STS assume role.
You can actually adjust the timeout settings! Just keep in mind that one of the benefits of using federated access is that you get short-lived credentials. You could also consider using a background process to refresh your tokens just before they expire, which could ease the hassle a bit.
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux