Support for credential_process in ~/.aws/config

[kennu]

This is a Feature Proposal

Description

AWS CLI supports the credential_process option in ~/.aws/config profiles, which allows you to store credentials somewhere else than the plain ~/.aws/credentials file. For instance, you can create a script that fetches them from 1Password using the 1Password CLI.

Serverless Framework doesn't support this so if you use this feature, you will get a Profile does not exist error when deploying. I know supporting this may not be quite trivial, but it might be very convenient.

Additional Data

• Serverless Framework Version you're using: 1.26.1
• Operating System: macOS
• Stack Trace:
• Provider Error messages:

[meatherly]

Just needs to be merged aws/aws-sdk-js#1923. Then we can implement it on serverless

[StevenACoffman]

This has been merged in aws/aws-sdk-js#2559 and is available with aws-sdk-js v2.474.0 through v2.429.0

Would appreciate if this got picked up.

[mungojam]

It would be lovely to see this progress again (sorry I can't help at the moment). Currently I have to keep switching my config files between using credential_process for all other SDKs and tools and using temporary credentials when calling serverless.

[thomasmichaelwallace]

Just another +1.

credential_process seems to be a good work around for #7567 (see https://github.com/benkehoe/aws-sso-credential-process).

At the moment I'm trying to understand why the serverless framework uses it's own approach to credentials; which seems to be the reason that credential_process is supported by the aws-sdk out-of-the-box, but doesn't work here.

[flyinprogrammer]

but seriously, why aren't we using the default CredentialProviderChain ??

https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html
https://github.com/aws/aws-sdk-js/blob/f1c689ffbca0d21d7bd359d5d4a5f1bd2b498a8b/lib/node_loader.js#L58-L70

[thomasmichaelwallace]

@flyinprogrammer - I'm actually trying to get together a PR to see about using it.

However, because sls hasn't used the default chain, there's a few additional cases I'm working through.

For comment, it's looking something like this:

    // Tweak the default provider chain to match serverless extensions:
    // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html#defaultProviders-property
    const credentialProvider = new AWS.CredentialProviderChain([
      function () { return new AWS.EnvironmentCredentials('AWS'); },
      function () { return new AWS.EnvironmentCredentials('AMAZON'); },
      // add serverless specific AWS_${STAGE} environment
      function () { return new AWS.EnvironmentCredentials(environment); },
      // prefer serverless configured profile and readline token fn for ini:
      function () { return new AWS.SharedIniFileCredentials({ profile, tokenCodeFn, filename }); },
      // function () { return new AWS.ECSCredentials(); }
      // prefer serverless configured profile for process:
      function () { return new AWS.ProcessCredentials({ profile }); },
      // function () { return new AWS.TokenFileWebIdentityCredentials(); },
      // function () { return new AWS.EC2MetadataCredentials(); }
      // support serverless config credentials
      function () { return new AWS.Credentials(providerCredentials) },
    ]);