Allow passing IAM session policies as CLI flags #195
Comments
|
Oooh, very intriguing feature. That'd be cool. As for caching, I think we can defer that for another feature? For now, just skip cache puts and gets when these flags are set. At the very least, using raw JSON as a cache key seems like a bad idea; we'd want to canonicalize it first somehow. (cough) I'm not really clear on how the two flags would stack; the API docs didn't make it any clearer. Sounds like it's the intersection of them all? So I guess you could pass both just fine. |
|
I think it's an intersection of the role policies, the inline session policy, and the managed policies. I'll see if I can figure that part out. Skipping the cache when either of these flags are passed makes sense to me. 👍 |
|
Edit: Support in the Go SDK is present. See my comment on the related issue for the aws-go-sdk-base for more detail: hashicorp/aws-sdk-go-base#11 (comment). There should be no blockers for this issue on that front. |
|
This issue has been automatically marked |
|
Closing due to staleness. Closed does not mean "never", just that it has no momentum to get accomplished any time soon. |
The STS assume role operations allow passing IAM session policies that can further scope down the permissions of the role. I'd like to add these capabilities as CLI flags: something like
--policyand--policy-arns, with the former being a JSON string and the latter being a list of IAM role ARNs.One thing I'm unsure of is how these policies would interact with the session cache. Possible options I can think of:
--no-session-cacheflagI'm happy to submit a PR if this is a desired feature.
Reference Docs:
The text was updated successfully, but these errors were encountered: