On Windows, the
getawscreds command-line looks first in
%APPDATA%\getawscreds.ini, and then
%USERPROFILE%\.getawscreds. On Linux and MacOX, the only location checked is
Purpose of Configuration
The configuration is meant only to define the options that correspond to Named Profiles.
Sections of the configuration file define options for a specific named profile, and the command-line typically saves the credentials to that named profile.
The defaults that apply to all named profiles are in a section called "[DEFAULT]". For example, to set the default role within AWS to one named "nlm_aws_users", you would write:
[DEFAULT] role = nlm_aws_users
Profile Specific Options
Roles such as "devel" or "prod" might be specified as below.
[devel] idp = authtest.nih.gov account = 999999999900 duration = 14400 role = myapp_poweruser_role [prod] idp = auth.nih.gov account = 999999999901 role = myapp_user_role
NOTE: These are not AWS account numbers or roles.
Each section within the configuration file supports these configurable parameters. These are also available on the command-line.
|idp||Which federated server to use for authentication. This can optionally be a full url|
|account||The AWS account number|
|role||The role within AWS - may be an ARN or a name|
|duration||Controls the requested duration for the temporary credentials|
|subject||Controls which smartcard certificate will be used when authenticating by PIV|
|username||Allows a user to authenticate with a different username, for example a Service Account|
Setting the IDP (Identity Provider)
The IDP has a default, and typical values. Through substitution, "authexample.nih.gov" would become the following:
You can optionally set the idp to the full URL as well in case you need to test something unusual.