Clojurians Log v2

@steveb8n I'm not sure about the details of this by @jeroenvandijk could probably tell you more

What is always possible is to use the credential_process provider to shell out to some custom script which connects to custom providers

thanks. good to know that there’s a programmatic way to do this. since Vault is considered a creds best practice, eventually the bb pod will support it

hopefully it just works 🙏

Maybe also good to post an issue

I’ll give it a try and will log an issue if it doesn’t work. otherwise I’ll provide some doc for you if it needs some extra config

@steveb8n I haven’t used aws-vault and I’m not familair with it’s features. But I assume it can be made compatible with credential_process . Can the tool print temporary credentials to stdout?

no idea. it’ll be the first time I’m using it as well

but I was advised by AWS architects that I should be using it

so I’ll report back. thanks for replying 🙂

Ok 🙂 They say a lot of things 😅

you can always make it print the creds in JSON using a custom script

dat klopt 😉

that said, since I’m providing enterprise SAAS I need to be able to show best practice security so I’ll follow advice like this

I’m joking, the aws-fault is probably a good practise. Just not the only one. @lukaszkorecki is using AWS SSO. I think that could be an even better practise

yeah, I’m also using a yubikey

I’m using Okta (similar to AWS SSO)

but still need to configure assumed roles. so many layers!

yeah ignorance is bliss

Okta was founded by my former manager. I know it well

</end> name dropping

Cool! I started using it before there was AWS SSO and haven’t tried that yet. So I can not make a proper comparision. I’m assuming AWS SSO is a lot easier to use with AWS. Had to build my own tool for Okta

I’m using Cognito for my users. It’s not as nice as Auth0 etc but it removes an external dependency. I’d bet AWS SSO is similar. Okta is bound to be better since it’s their specialty

Thanks for the feedback. I’ll report back

I think you can now wire things up a bit differently with Okta and AWS SSO - meaning, that Okta is just a SAML 2.0 idP (we use Google G-Suite/Workspace/Apps), and from there it doesn't really matter how you log in after running aws sso login --profile=.... - my team just has to copy the aws config from our repo, with all of the required profile entries (account IDs, assumed roles etc) and works out of the box. I have never used aws-vault and Okta's own AWS auth (I believe it's a thing) so cannot comment on that

looks like aws-vault exposes creds as environment variables, so the babashka pod should just work?

Yes

there's a similar tool for AWS SSO https://github.com/linaro-its/aws2-wrap (I rewrote it in Clojure as a custom auth provider for aws-api)

Thanks!

@jeroenvandijk Maybe a stupid question, but is there a reason not to call the AWS SSO in the main bb script and then pass the credentials via the basic credential provider?

That would be possible but you would have to copy paste this code everywhere or put it in a library

Also if you want to use it with other tools it’s handy to have it as a credential_process. E.g. for when you do want to use the aws cli tool

Sure!

Wouldn't you have to copy/paste (or librarify) this code anyway, regardless on which side you use it?

My idea is to have a parameterized script that I can use for multiple AWS profiles in ~/.aws/credentials e.g.

[production]
credential_process = bb tools/aws_fetch_sso.clj --region us-east-1 --account-id 1111111 --role-name Admin --startUrl <https://your-start-url-hostname.awsapps.com/start>

[staging]
credential_process = bb tools/aws_fetch_sso.clj --region us-east-1 --account-id 2222222 --role-name SomeOtherRole --startUrl <https://your-start-url-hostname.awsapps.com/start>

nice

Compared to the aws cli solution this is much less cumbersome. With aws cli, you have to run aws config and I had know idea how it worked until I found a blog post that was describing all the steps. No dependency on Python here 🙂

btw, I noticed that the babashka aws pod is quite an improvement on the aws cli in startup time

@lukaszkorecki I added caching to the aws sso credential_process script. So ready for usage I think 🙂 It also works with the aws cli https://gist.github.com/jeroenvandijk/ace7432be94d083e63729ac313a0b78f

@jeroenvandijk really cool - if I understand correctly, most SDKs can pick up the credential_process option, including bb's aws pod?

@lukaszkorecki yes, from experience I know this to be true for the aws cli (so maybe also python skd’s) and the java sdk (used by Amazonica). aws-api doesn’t support it yet (https://github.com/cognitect-labs/aws-api/issues/73)

Awesome, that's super helpful

@jeroenvandijk when you're done developing this, maybe we could add it to the docs of the pod

or to an examples dir

Yeah I was thinking of how to distribute this in a convenient way. I have more scripts like this in mind, so was actually thinking of a seperate repo. Maybe even installable via homebrew or something so it is easy to find and install

Also it becomes complex pretty quickly, so tests would be nice too

well, maybe as a gitlib?

could be helpful when using it as a library. gitlib’s don’t support adding binaries to the PATH, right?

well, you can check anything into git, but maybe not the best thing to do. why?

what kind of binary?

just to make it a bit more convenient. Like how you install babashka through homebrew and not having to manage everything yourself (including updates)

a binary as in chmod +x script/my-babashka.clj

btw, I'll most likely write my own version of the SSO provider, as for example - when configuring SSO you have to have a valid config with profiles - @jeroenvandijk version assumes that some of that is configured in source

I’ll look into it later. For now, I spend way too much time on everything related to this pod 😅

but this was also the pod / native aws thing you have tried to come up with for a long time... right? so not time wasted...?

@lukaszkorecki My script only assumes you give it the right arguments in your credentials file (region, account-id, role and start url).

@borkdude sorry definitely didn’t mean wasted! Just that I need to focus a bit on other things and not sure when I’ll get to wrapping all these other things properly

@jeroenvandijk if you are distributing .clj files, I think gitlibs are the way to go.

(require '[babashka.deps :as deps])
(deps/add-deps '{:deps {jeroenvandijk/scripts {:git/url "<https://github>..." :sha "..."}}})
(require '[jeroenvandijk.scripts.aws-thing :as aws-thing])

Yeah looks good! Thank you

Btw, I automated bumping the aws-api deps using a bb script: https://github.com/babashka/pod-babashka-aws/blob/main/script/update-deps.clj

ah smart

And we have already 5 contributors now in such a short time. I think it's a success. Thanks for the time you put into the credential stuff especially, the gnarliest bit :)

I have to thank for you sure! 🙏 For putting that much time in this and not even being a real AWS user (yet, right?)

Right, but we're moving to the cloud now at work too, so I'll probably be one soon (either AWS, or Azure)

I’m also happy with the result. I have spent a lot of time in getting AWS tools to compile with Graalvm. This will not be the last one I think

Ah nice. Good to hear you can start with Clojure tools from the start (when using AWS)