Support a generic credential provider execution mode to include caching and refresh

[lorengordon]

I have been using okta-aws-cli and its support for the credential_process feature of the AWS Config, but it turns out that it does not support caching or refresh of the AWS credential. Which means that every time a command it called, it is getting a new AWS credential. However it does support caching the Okta session, but that has a hard-coded duration of 1 hour. The combination has some strange behavior, where no matter what every hour it will prompt to get the Okta activation token, even if the AWS Session Duration is much longer. It also has an option to write credentials to disk, but that 1) isn't desirable at all, and 2) doesn't play too well with the credential_process config, as it still prompts every hour for the Okta activation token.

Granted does a pretty great job at caching and refreshing aws credentials, so I was thinking it would be great if I could have granted run okta-aws-cli, cache the returned credentials in the encrypted vault, and manage the refresh action as needed based on the session expiration.

Envision a user interface something like:

credential_process = granted exec-provider <granted options> -- okta-aws-cli <okta options>

Since anything that supports the credential_process option must return the same json format, that would be a pretty simple interface to wrap and parse.

[Vandalay1125]

Yes please.

[CyrilDevOps]

I would like to extend that to other credential provider, like hashicorp vault.
We use hashicorp vault to get aws credentials, I have set of script that use credential_process to get credential automatically based on the AWS_PROFILE, making it work with all sort of aws cli/python boto/java sdk... application.
But today I don't cache the credentials, same as @lorengordon .
granted seems to already have caching, and encryption ... all sort of goodies I want to have in y own toolkit.