AWS Plugin & source_profile incompatibility?

Options
Enomis
Enomis
Community Member
in CLI

Hi,

it is not clear to me how 1password should be configured for multi-profile management in case of source profiles,
in particular in the documentation https://developer.1password.com/docs/cli/shell-plugins/aws/#optional-assume-multiple-roles first it says that the file ~/.aws/credentials could be removed (with the appropriate "warnings"), but then below it gives an example of profile management to be placed in ~/.aws/config:

[profile prod]
role_arn = arn:aws:iam::123456789012:role/prod
source_profile = wendyappleseed

In my case if I run the command for a profile where source_profile = <some profile> is specified I get the error

[ERROR] 2023/09/24 18:26:42 could not run AWS CLI plugin: failed to provision credentials, encountered error(s):
source profile "" does not exist in your AWS config file

If I comment out the "source_profile" instead then it works.

I have tried both defining the profile in ~/.aws/credentials (standard) and in ~/.aws/config but in both cases without success.

Honestly excluding the fact that you want to keep a source_profile and thus the definition in ~/.aws/credentials I think it goes against the principle of "security" that I think comes into being with cli (avoid having credentials saved in clear text in your own ~/.aws/credentials file), on the other hand this might help in cases where you use tools that are not compatible with 1password and for which you would then have to employ aws cli without the op plugin.

So I was curious if in the documentation the inclusion of source_profile = wendyappleseed is consistent (and thus there is something I don't know) or if it is just an oversight instead.

My OP Cli version is 2.21.0.

Thanks

1Password Version: 2.21.0
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • andi.t_1P
    andi.t_1P
    Options

    Hi @Enomis , the AWS shell plugin is meant to replace the AWS CLI as much as possible. As far as I know, all use cases should be covered except for the one where you have multiple sets of credentials you need to switch between. From our research, most AWS users will just have 1 set of credentials and will need to switch between multiple profiles.

    In the context of the shell plugin, the source_profile field is to be specified in the .aws/config when you want to chain profiles. So basically start with the role/permissions of one profile and then branch into other roles starting from that. There will only be 1 set of master credentials which will be securely stored in 1Password.

    Does this answer your question?

    Best,
    Andi

  • Enomis
    Enomis
    Community Member
    Options

    Understood, thanks for you reply.