Add Support for IAM Roles Anywhere CreateSession

[rittneje]

Describe the feature

Add native support for CreateSession to the SDK.

Use Case

We would like to leverage IAM Roles Anywhere to "bootstrap" AWS credentials into our external services that are written in Ruby. We are unable to use the precanned credential_process binaries.

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

SDK version used

3.122.0

Environment details (OS name and version, etc.)

Linux

[mullermp]

Thanks for opening an issue. Why are you unable to use the provided credential_process helper?

[rittneje]

@mullermp Without getting into the finer details, the main issue is we cannot really deploy an arbitrary executable. We can only deploy the Ruby code.

To be honest I'm not sure what the motivation was for making it a separate process instead of integrating it with the SDKs, given that you need an SDK anyway in order to do anything with the resulting credentials. Plus the credential process assumes the existence of a private key file, which means it is incompatible with things like Azure Key Vault.

[alextwoods]

Thanks for submitting this - I think its a valuable feature request and something the SDK should likely support natively.

[levicole]

I'd like to add that the precanned binaries aren't signed on MacOS and thus won't run unless you flip the quarantined bit, which is there for a reason. I haven't checked but this might could be blocked on devices managed by an MDM.

Alternatively, instead of support for CreateSession, altering sigv4 to support passing a cert and key in instead of always requiring a access_key_id and secret_access_key would be sufficient. I don't mind making the request to create the session myself. I mostly don't want to reimplement sigv4.

Edit:
Also, I see this is queued, and I just want to say I appreciate any work on this :)