From 6f4d6c8f3f0b81d3e39863cfc5fd264863edb573 Mon Sep 17 00:00:00 2001 From: Aaron Turner Date: Mon, 9 May 2022 08:51:24 -0700 Subject: [PATCH] document using pass on linux - pass is superior to file for most Linux users - general tweaks and improvements to docs Fixes: #369 --- docs/FAQ.md | 14 ++++++++++++++ docs/aws-vault.md | 8 ++++---- docs/config.md | 2 +- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/docs/FAQ.md b/docs/FAQ.md index a0800126..7520f2ce 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -22,6 +22,7 @@ * [How do I delete all secrets from the macOS Keychain?](#how-do-i-delete-all-secrets-from-the-macos-keychain) * [Which SecureStore should I use?](#which-securestore-should-i-use) * [Does aws-sso support using AWS FIPS endpoints?](#does-aws-sso-support-using-aws-fips-endpoints) + * [How can I stop typing my password all the time?](#how-can-i-stop-typing-my-password-all-the-time) ##### Errors and their meaning @@ -330,3 +331,16 @@ config.md#SSOCOnfig) blocks) then a few comments: or `--sso` flag because of a [limitation with how shell completion works]( https://github.com/synfinatic/aws-sso-cli/issues/382). Instead you must first `export AWS_SSO=` and then run the command. + +### How can I stop typing my password all the time? + +Choosing a [SecureStore](config.md#securestore-jsonstore) is important from +a usability & security perspective. The default options for MacOS and Windows +should generally be the best, but Linux users default to `file` for compatibility +sake. + +Unfortunately, the `file` option requires you to enter your password pretty much +every time you use `aws-sso`. For that reason, I recommend using the [pass]( +https://www.passwordstore.org) option which uses GPG and optionally the `gpg-agent` +for caching of your GPG passphrase. Please note that configuring pass, GPG +and the gpg-agent are outside of the scope of this documentation. diff --git a/docs/aws-vault.md b/docs/aws-vault.md index 275e8dce..dbe65d77 100644 --- a/docs/aws-vault.md +++ b/docs/aws-vault.md @@ -5,7 +5,7 @@ * [Feature Comparison](#feature-comparison) Note: I believe this page to be accurate as of `aws-vault` v6.3.1 and -`aws-sso` v1.7.1. If you believe anything on this page is in error, please [let me know]( +`aws-sso` v1.9.0. If you believe anything on this page is in error, please [let me know]( https://github.com/synfinatic/aws-sso-cli/issues/new?title=Documentation+error:)! I get asked a lot why you should use AWS SSO CLI over [AWS Vault]( @@ -141,8 +141,9 @@ and configured! | Role chaining | Yes | Yes | Yes | | CLI auto-complete | Yes | Yes | Yes | | EC2/ECS Metadata server | Yes | No * | No | -| AWS Session tags | Yes | No * | Yes | -| AWS Transitive tags | Yes | No * | Yes | +| AWS Session tags | Yes | No | Yes | +| AWS Transitive tags | Yes | No | Yes | +| Firefox Containers | No | Yes | No | | Exec new shell with AWS creds | Yes | Yes | No | | Detect $AWS\_PROFILE collision | No | Yes | Yes | | Add AWS creds into current shell | No | Yes | No | @@ -155,5 +156,4 @@ and configured! | Role ARN | No | Yes | No | | AccountId & RoleName | No | Yes | No | - **Note:** Items above marked with a `*` are on the `aws-sso` feature roadmap. diff --git a/docs/config.md b/docs/config.md index 483501e4..4d6aca4f 100644 --- a/docs/config.md +++ b/docs/config.md @@ -358,7 +358,7 @@ https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.h * `file` - Encrypted local files (OS agnostic and default on Linux) * `keychain` - macOS [Keychain](https://support.apple.com/guide/mac-help/use-keychains-to-store-passwords-mchlf375f392/mac) (default on macOS) * `kwallet` - [KDE Wallet](https://utils.kde.org/projects/kwalletmanager/) - * `pass` - [pass](https://www.passwordstore.org) + * `pass` - [pass](https://www.passwordstore.org) (uses GPG on backend) * `secret-service` - Freedesktop.org [Secret Service](https://specifications.freedesktop.org/secret-service/latest/re01.html) * `wincred` - Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) (default on Windows) * `json` - Cleartext JSON file (very insecure and not recommended). Location