Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add note about aws configure export-credentials #13

Closed
jaklan opened this issue Jan 1, 2023 · 7 comments
Closed

Add note about aws configure export-credentials #13

jaklan opened this issue Jan 1, 2023 · 7 comments

Comments

@jaklan
Copy link

jaklan commented Jan 1, 2023

After merging and releasing aws/aws-cli#7398, I believe aws configure export-credentials should be the recommended solution. It would be worth to note in the README.md that aws-export-credentials is either a legacy solution (is it?) or highlight differences between these two approaches.
@jaklan
Copy link
Author

jaklan commented Jan 1, 2023
edited
Loading

Actually - I already see one difference: aws configure export-credentials doesn't generate any new credentials, just utilise what's able to find in envars / ~/.aws/credentials / ~/.aws/cli/cache, but aws-export-credentials exports new credentials each time it's executed - I believe because it takes different approach and creates a new botocore session each time and exports its credentials.

I mean - the latter is already mentioned in docs at the very beginning:

There are a number of other projects that extract AWS credentials and/or inject them into programs, but all the ones I've seen use the CLI's cache files directly, rather than leveraging botocore's ability to retrieve and refresh credentials. So I wrote this to do that.

but maybe it's not intuitive aws configure export-credentials works differently.

@jaklan jaklan mentioned this issue Jan 1, 2023
Closed
@benkehoe
Copy link
Owner

Oh, hm. Would we consider this a bug in the CLI's implementation?

@jaklan
Copy link
Author

jaklan commented Jan 30, 2023

I believe it's done this way on purpose in AWS CLI, to avoid any additional side effects of running export command. Actually aws-export-credentials is the one which is more like aws-retrieve-and-export-new-credentials 😉

@benkehoe
Copy link
Owner

I believe the AWS CLI's implementation does refresh credentials, because it uses the normal credential resolution mechanisms of the AWS CLI (and botocore). I've added a note to the README in 33a6013

@jaklan
Copy link
Author

jaklan commented Apr 27, 2023
edited
Loading

@benkehoe actually I meant sth different - that aws-export-credentials each time creates a new session and returns new credentials, but aws configure export-credentials relies on the current session and returns the same credentials (until there's a need to refresh, as you mentioned, but that's another thing).

@benkehoe
Copy link
Owner

Oh, yes, I see. If there are unexpired credentials in ~/.aws/cli/cache, aws configure export-credentials can use those. But boto3 does not use that cache, so aws-export-credentials does not either, but it does provide a separate, optional caching mechanism.

@jaklan
Copy link
Author

jaklan commented Apr 27, 2023

Yeah yeah, I got it, just wanted to highlight the difference, but I see I already did that on January 😄

I believe it's done this way on purpose in AWS CLI, to avoid any additional side effects of running export command. Actually aws-export-credentials is the one which is more like aws-retrieve-and-export-new-credentials 😉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add note about aws configure export-credentials command jaklan/aws-export-credentials
2 participants
@benkehoe @jaklan