@function
async def terrible(
self,
aws_creds: Annotated[dagger.Secret, Doc("AWS credentials file")] = ????,
How can I set this a default of file://$HOME/.aws/credentials?
#[python sdk] how to define default value for dagger.Secret?
wide vapor
sharp carbon
```
@function
async def terrible(
self,
aws_creds: Annot...
Modules can't access secrets from their caller's context, that would make them less safe and less portable.
We're working on a feature that will let you set those defaults in a separate file when loading the module, similar to how .env works. Still in development though
wide vapor
Thanks!
wide vapor
Modules can't access secrets from their caller's context, that would make them l...
Is there any way to mount the .aws directory? When using aws sso it generates random json files inside it... When working with different SSO profiles it gets tricky.
I would like to avoid creating a software to be able to run dagger.
sharp carbon
@wide vapor is there a command you normally execute on the host machine to get the credential you need? When calling a dagger function from the CLI, and passing secrets as arguments, you can load secrets from various sources. One of them is by executing a command on the host and passing the output
eg. when using a tool like aws-vault
wide vapor
aws sso login
then the access token is generated inside ~/.aws/sso/cache/<uid>.json
aws configure export-credentials --profile <profile> --format env exports the env vars
sharp carbon
I see. A few options then:
- You can reference the contents of the file itself as a secret from the CLI, eg:
dagger call terrible --aws_creds=file://$HOME/.aws/sso/cache/<uid>.json
wide vapor
terrible <- terraform + ansible
sharp carbon
terrible <- terraform + ansible
love it 😛
wide vapor
😄
sharp carbon
- If you can arrange for the token to be set to an env variable, then you can reference that variable with
--aws_creds=env://VARNAME
wide vapor
but i would need the uid before running dagger cli
in the end i think i'll need a helper script
sharp carbon
Yeah sorry
You can hook the helper script into dagger with the cmd:// secret backend, eg. dagger call terrible --aws_creds=cmd://"super-helper-script.sh foo bar"
(the script must print the secret plaintext on stdout)
sharp carbon
You can pass the whole .aws directory as argument if you want, but it requires an argument of type Directory, not Secret
dagger call terrible --aws-config=~/.aws
wide vapor
could i mount this inside then?
sharp carbon
If you can come up with a helper script clean enough, maybe we can upstream as a specialized secret backend, eg. dagger call terrible --aws-creds=aws-sso://something
sharp carbon
could i mount this inside then?
Yes. The directory will get copied into the engine cache, then from there you can have full access to the directory API, including mounting it into a container
wide vapor
If you can come up with a helper script clean enough, maybe we can upstream as a...
I'll try this before then
thanks again