Using Common Fate for requesting access
For this recipe, you'll need Common Fate Configured.
You can use Granted to request access to roles through Common Fate. Internally, we use AWS credential_process to source credentials through Granted.
You will need to update each role you want to request access to with the following configuration:
- [profile my-profile]
- sso_account_id = <your-sso-account-id>
- sso_region = <your-sso-region>
- sso_role_name = <your-role-name>
- sso_start_url = <https://example.awsapps.com/start>
+ [profile updated-profile]
+ granted_sso_account_id = <your-sso-account-id>
+ granted_sso_region = <your-sso-region>
+ granted_sso_role_name = <your-role-name>
+ granted_sso_start_url = <https://example.awsapps.com/start>
+ credential_process = granted credential-process --profile updated-profile --url https://granted.example.com
Note: If you do not provide
--url flag in
credential_process key, you will need to set Common Fate URL by running
granted settings request-url set <GRANTED_APPROVALS_URL>
🎉 Now try running an AWS CLI command with a profile that doesn't have required access.
> aws s3 ls --profile needs-requesting
You should see something like