Add support for sts assume_role tokens #95
Conversation
|
|
||
| let secret_key = Unix.getenv "AWS_SECRET_KEY" | ||
| let secret_key = Unix.getenv "AWS_SECRET_ACCESS_KEY" |
There was a problem hiding this comment.
Happy to change these values but could it be done in another PR and the change made across the board for all lib_test tests.
|
Finally could you add a test that does something basic like creating a token and then using it on a request. Thanks for the code :-) |
|
So I don't quite know the exact best way to conduct the tests for this because the IAM api isn't generated yet which makes it hard to create/delete all the resources we would need to do a clean test. I suspect the best way might be to add some code that allows for the token to be passed in optionally on via env to the tests and support running the tests with that token. Then you would just need a role in your aws account that you test with and you could assume-role and run the tests. |
|
As a suggestion can you create the resources needed via the AWS cli and then pass those through to the OCaml code to perform the request. Longer term we would have IAM bindings and replace the AWS cli part.
I think that matches my suggestion above? |
|
@UnrealAkama Are you able to finish off this change? |
|
Yah, that makes sense to me. I'll get a commit up in the next couple days that has a way to test it. |
|
Added in #117. |
AWS allows users to authenticate requests with temporary credentials that are requested from the STS service. Doing so requires that the token header is signed and included with the request. This adds an optional parameter to calls to allow for a token parameter to be passed in.
This is working for me and I've successfully incorporated into my code but I'm putting this in draft until I can test it a bit more. Please let me know if you would like anything changed.
I believe this might solve #76 as well.