Skip to content

docs: PRD for aws/credentials identity with credential_process #1795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
osterman wants to merge 4 commits into
base: main
Choose a base branch
from
Open

docs: PRD for aws/credentials identity with credential_process #1795

osterman wants to merge 4 commits into from
+592 −0

Conversation

@osterman
Copy link
Member

@osterman osterman commented Nov 15, 2025
edited
Loading

Summary

Adds comprehensive Product Requirements Document for introducing a new aws/credentials identity kind that obtains AWS credentials from external processes using the AWS SDK's credential_process standard. Enables seamless integration with external credential helpers (aws-sso-cli, Okta CLI, aws-vault, custom SAML tools, etc.).

Why a New Identity Kind?

aws/credentials instead of extending aws/user:

The aws/user identity kind is semantically tied to IAM Users and performs IAM User-specific operations:

  • Takes long-lived credentials (access key + secret key)
  • Calls STS GetSessionToken to generate temporary credentials
  • Prompts for MFA tokens for IAM User MFA devices
  • Enforces IAM User session duration limits (12h without MFA, 36h with MFA)

Semantic mismatch with credential_process:

  • External processes return already-temporary credentials from SSO, assumed roles, or other sources
  • These credentials already include a session token
  • Calling GetSessionToken again would fail (can't get session token from session credentials)
  • MFA is handled by the external process, not by Atmos

Solution: New aws/credentials identity kind

  • Semantic meaning: "I have AWS credentials from an external source"
  • Behavior: Use credentials as-is without transformation
  • Simpler: No MFA prompting, no STS calls, just execute process and use credentials
  • Cleaner: Preserves aws/user for its intended purpose (IAM Users with long-lived credentials)

Identity Kind Comparison

Feature aws/user (existing) aws/credentials (new)
Purpose IAM User authentication External credential processes
Credential source Access key + secret key credential_process output
Transformation Calls STS GetSessionToken Uses credentials as-is
MFA Prompts for token Handled by external process
Session limits IAM User limits (12h-36h) Process-determined
Typical use Break-glass IAM users SSO, SAML, corporate auth
Provider name aws-user aws-credentials

Use Case from GitHub Issue

User's organization sources temporary AWS credentials from an external process and wants to use Atmos's credential_process standard to integrate with their existing tooling.

Configuration Examples

Generic External Process (GitHub Issue Use Case)

auth:
  identities:
    staging:
      kind: aws/credentials
      credentials:
        credential_process: '/home/myuser/.local/bin/external-process staging'
        region: eu-west-1

Comparison with aws/user

auth:
  identities:
    # For IAM Users with long-lived credentials
    break-glass-user:
      kind: aws/user
      credentials:
        access_key_id: !env AWS_ACCESS_KEY_ID
        secret_access_key: !env AWS_SECRET_ACCESS_KEY
        mfa_arn: 'arn:aws:iam::123456789012:mfa/emergency-user'
        region: us-east-1
      session:
        duration: '12h'  # Atmos calls GetSessionToken with MFA

    # For external credential processes (SSO, SAML, etc.)
    corporate-sso:
      kind: aws/credentials
      credentials:
        credential_process: '/usr/local/bin/corporate-credential-helper prod'
        region: us-east-1
      # No session config - external process determines expiration

Identity Chaining

auth:
  identities:
    corp-base:
      kind: aws/credentials
      credentials:
        credential_process: '/usr/local/bin/corporate-sso-helper'

    staging-poweruser:
      kind: aws/assume-role
      via:
        identity: corp-base
      principal:
        role_arn: 'arn:aws:iam::111111111111:role/PowerUser'

Additional Example Tools

PRD includes examples for common credential helper tools:

  • aws-sso-cli
  • Okta AWS CLI
  • Custom SAML scripts
  • aws-vault
  • Multi-level identity chaining

🤖 Generated with Claude Code

@claude
docs: Add PRD for AWS credential_process support in Atmos Auth
38af8fe 
Add comprehensive Product Requirements Document for supporting AWS credential_process as a first-class credential source for aws/user identities. Enables integration with external credential helpers (Okta CLI, aws-sso-cli, aws-vault, custom scripts) following AWS SDK standard.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@osterman osterman requested a review from a team as a code owner November 15, 2025 19:20
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Nov 15, 2025
edited
Loading

Warning

Rate limit exceeded

@osterman has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 4 minutes and 36 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 8125309 and 17138cc.

📒 Files selected for processing (1)
  • docs/prd/aws-credential-process.md (1 hunks)
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch osterman/aws-credential-process

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions github-actions bot added the size/l Large size PR label Nov 15, 2025
@github-actions
Copy link

github-actions bot commented Nov 15, 2025
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Files

None

@osterman osterman mentioned this pull request Nov 15, 2025
Open
Claude (via Conductor) and others added 2 commits November 15, 2025 13:26
@claude
docs: Update PRD to introduce aws/credentials identity kind
6b2b5f8 
Change architectural approach from extending aws/user to introducing new
aws/credentials identity kind for external credential processes.

Key rationale:
- aws/user is semantically tied to IAM Users (calls GetSessionToken, prompts for MFA)
- External processes (aws-sso-cli, Okta) return already-temporary credentials
- New aws/credentials kind uses credentials as-is without transformation
- Cleaner separation of concerns and simpler implementation

Updated examples to use aws/credentials and clarified comparison with aws/user.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@claude
docs: Use !env YAML function in example instead of Go template
afeb497 
Update aws/user example to use Atmos !env YAML function instead of
{{getenv}} Go template syntax for consistency with Atmos conventions.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@osterman osterman changed the title docs: PRD for AWS credential_process support docs: PRD for aws/credentials identity with credential_process Nov 15, 2025
@claude
docs: Reorder examples to prioritize generic corporate use case
17138cc 
Move generic corporate credential helper to Example 1 as the primary
use case. Reorder remaining examples to show various third-party tools
(Okta, aws-sso-cli, aws-vault, custom scripts) as implementations of
the same pattern.

This better reflects the GitHub issue request: organizations with
existing custom credential tooling that want to integrate with Atmos.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@codecov
Copy link

codecov bot commented Nov 15, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.67%. Comparing base (8125309) to head (17138cc).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1795      +/-   ##
==========================================
+ Coverage   70.66%   70.67%   +0.01%     
==========================================
  Files         451      451              
  Lines       42397    42397              
==========================================
+ Hits        29958    29966       +8     
+ Misses       9911     9903       -8     
  Partials     2528     2528
Flag Coverage Δ
unittests 70.67% <ø> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 3 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@osterman osterman added the no-release Do not create a new release (wait for additional code changes) label Nov 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

no-release Do not create a new release (wait for additional code changes) size/l Large size PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@osterman