Serverless Better Credentials
The Serverless Better Credentials plugin replaces the existing AWS credential resolution mechanism in the Serverless Framework with an extended version that:
- Supports AWS Single Sign On natively.
- Supports the
credential_process
mechanism for sourcing credentials from an external process. - Respects all of the configuration environmental variables that the javascript aws-sdk v2 supports (e.g.
AWS_SHARED_CREDENTIALS_FILE
/AWS_SDK_LOAD_CONFIG
).
It is designed to be a drop-in replacement; respecting the current credentials resolution order and extensions already provided by the Serverless Framework.
Usage
- Install
npm install --dev serverless-better-credentials
# or
yarn add --dev serverless-better-credentials
- Configure
Add the following to your serverless.yml:
plugins:
- serverless-better-credentials # as the first plugin
# - ... other plugins
AWS Single Sign On (SSO) Support
AWS SSO profiles configured to work with the AWS CLI should "just work" when this plugin is enabled. This includes prompting and attempting to automatically open the SSO authorization page in your default browser when the credentials require refreshing.
Full details about how to configure AWS SSO can be found in the AWS CLI documentation.
Take note that if you are using SSO with the approach AWS document (a shared .aws/config
file) you'll also need to set the AWS_SDK_LOAD_CONFIG
enviornment value to something truthy (e.g. AWS_SDK_LOAD_CONFIG=1
), as described in the AWS SDK documentation.
Other Credential Resolution
Credentials are resolved in the same order the Serverless Framework currently uses. This order is:
- from profile: cli flag
--aws-profile
- from profile: env
AWS_${STAGE}_PROFILE
- from env -
AWS_${STAGE}_X
- from profile -
AWS_PROFILE
- from env -
AWS_X
- from profile - serverless.yml >
provider.profile
(unless --aws-profile is specified) - from config - serverless.yml >
provider.credentials
- from profile -
AWS_DEFAULT_PROFILE
||default
Where:
- profile credentials resolve against the matching
[profile_name]
configuration:- first directly as SharedIniFileCredentials (i.e. key id/secret or STS role)
- then using ProcessCredentials, if an
credential_process
is specified - then using the built-in SSO Credentials if
sso_start_url
, etc. is specified
- env credentials resolve as EnvironmentCredentials (i.e. from the running process environment)
- config credentials resolve directly as Credentials (i.e. from an explicitly set key id and secret)
Help and Support
If you have an issue, suggestion, or want to contribute, please open an issue or create a pull request and I'll take a look.