Skip to main content

Using Common Fate for requesting access

Prerequisites

For this recipe, you'll need Common Fate Configured.

You can use Granted to request access to roles through Common Fate. Internally, we use AWS credential_process to source credentials through Granted.

You will need to update each role you want to request access to with the following configuration:

- [profile my-profile]
- sso_account_id = <your-sso-account-id>
- sso_region = <your-sso-region>
- sso_role_name = <your-role-name>
- sso_start_url = <https://example.awsapps.com/start>

+ [profile updated-profile]
+ granted_sso_account_id = <your-sso-account-id>
+ granted_sso_region = <your-sso-region>
+ granted_sso_role_name = <your-role-name>
+ granted_sso_start_url = <https://example.awsapps.com/start>
+ credential_process = granted credential-process --profile updated-profile --url https://granted.example.com

Note: If you do not provide --url flag in credential_process key, you will need to set Common Fate URL by running

granted settings request-url set <GRANTED_APPROVALS_URL>

🎉 Now try running an AWS CLI command with a profile that doesn't have required access.

For example:

 > aws s3 ls --profile needs-requesting

You should see something like

A screenshot of the resonse from terminal with role that needs access