Hey everyone! I'm currently in a setup where access to our AWS account is done through Active Directory Federation Services (ADFS), and we don't have permanent access keys. This has made it tricky to work with AWS CodeCommit repositories.
I usually have to use the aws sts assume-role-with-saml command to get temporary credentials, but these credentials only last for an hour. So, every hour, I have to:
1. Manually get the SAML response.
2. Execute the assume-role-with-saml command.
3. Set the new credentials as environment variables.
This process feels pretty cumbersome to repeat so frequently. I tried using saml2aws to make it more manageable, but our login system needs a client certificate for authentication, which saml2aws doesn't seem to support.
Has anyone experienced something similar? I'm looking for tools or methods that could help in managing temporary credentials for CodeCommit without the hassle of frequent manual work in a federated ADFS situation. Any thoughts would be greatly appreciated!
1 Answer
You could actually adjust the timeout for the credentials, though don't set it too long since short-lived tokens are a big plus of using federated access. Alternatively, you could run a background process that refreshes the tokens automatically just before they expire.
I was considering asking our ADFS admin to modify the session period by adjusting the SAML session settings, but they are quite strict about security measures. Also, I’m not sure how to implement a background process for refreshing the tokens. I’ll definitely look into that. Thanks for the suggestion!