Credential Process

Source Credentials from Weep automatically with Credential Process

AWS SDKs have the ability to source credentials from an external process by specifying a command in your AWS config file. You can read more about this feature in the AWS docs.

Read about AWS configuration settings and precedence for information about precedence of credential sources.

Update your ~/.aws/config file with information about the profile you want to configure, and the role you want weep to assume. Example:

[profile consoleme_oss_1]
credential_process = weep credential_process arn:aws:iam::012345678901:role/consoleme_oss_1_test_admin

[profile consoleme_oss_2]
credential_process = weep credential_process consoleme_oss_2_test_admin

[profile test_account_user]
credential_process = weep credential_process test_account_user

Then just run your application or AWS CLI command with the appropriate profile:

AWS_PROFILE=test_account_user aws sts get-caller-identity

# you can also use the --profile flag
aws --profile test_account_user sts get-caller-identity

Profiles can also be set in AWS SDKs. For example in boto3:

import boto3

session = boto3.Session(profile_name="test_account_user")
client = session.client("sts")
print(client.get_caller_identity())

Generating Credential Process Commands

Weep can automatically update your AWS config file with profiles for each of your available roles. These profiles are named with the full ARN of the role.

AWS SDKs appear to be analyzing your ~/.aws/config file on each API call. This could drastically slow you down if your the file is too large.

# Please read the caveat above before running this command. The size of your ~/.aws/config file may negatively impact
# the rate of your AWS API calls.
weep credential_process --generate

Last updated