GitBook: [master] 50 pages modified

laranea · Dec 4, 2020 · 707b625 · 707b625
1 parent eb15ff1
commit 707b625
Show file tree

Hide file tree

Showing 5 changed files with 82 additions and 23 deletions.
diff --git a/docs/gitbook/weep-cli/commands/credential-export.md b/docs/gitbook/weep-cli/commands/credential-export.md
@@ -1,14 +1,47 @@
 # Credential Export
 
-
+Weep can generate a command to export credentials to [environment variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) in your shell.
 
 {% hint style="success" %}
 Read about [AWS configuration settings and precedence](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence) for information about precedence of credential sources.
 {% endhint %}
 
+Here's a basic call to print out the credential export command:
+
+```bash
+weep export test_account_user
+```
+
+{% hint style="info" %}
+Weep will do its best to detect your shell and generate the correct export command. Bash, Zsh, and Fish are currently supported.
+{% endhint %}
+
+To automatically export the credentials, just modify your command to be evaluated by the shell:
+
+{% tabs %}
+{% tab title="Bash" %}
+```bash
+eval $(weep export test_account_user)
+```
+{% endtab %}
+
+{% tab title="Zsh" %}
+```bash
+eval $(weep export test_account_user)
+```
+{% endtab %}
+
+{% tab title="Fish" %}
+```bash
+
+eval (weep export test_account_user)
+```
+{% endtab %}
+{% endtabs %}
+
+Then you can verify that the credentials are set in your environment:
+
 ```bash
-weep export arn:aws:iam::012345678901:role/coolApp
-INFO[0001] Successfully retrieved credentials. Expire: 2018-08-01 15:39:12 -0700 PDT
-export AWS_ACCESS_KEY_ID=ASIAS...
+env | grep AWS
 ```
 
diff --git a/docs/gitbook/weep-cli/commands/credential-file.md b/docs/gitbook/weep-cli/commands/credential-file.md
@@ -4,7 +4,7 @@ description: Write to your ~/.aws/credentials file
 
 # Credential File
 
-Weep can write credentials to the [AWS shared credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) file in your home directory. The AWS CLI and SDKs will refer to this file and use the credentials for a specified profile \(or `default` if none is specified\).
+Weep can write credentials to the [AWS shared credential](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) file in your home directory. The AWS CLI and SDKs will refer to this file and use the credentials for a specified profile \(or `default` if none is specified\).
 
 {% hint style="success" %}
 Read about [AWS configuration settings and precedence](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence) for information about precedence of credential sources.
@@ -27,3 +27,22 @@ aws_secret_access_key = .....
 aws_session_token = .....
 ```
 
+Then just run your application or AWS CLI command with the appropriate profile:
+
+```bash
+AWS_PROFILE=test_account_user aws sts get-caller-identity
+
+# you can also use the --profile flag
+aws --profile test_account_user sts get-caller-identity
+```
+
+Profiles can also be set in AWS SDKs. For example in `boto3`:
+
+```python
+import boto3
+
+session = boto3.Session(profile_name="test_account_user")
+client = session.client("sts")
+print(client.get_caller_identity())
+```
+
diff --git a/docs/gitbook/weep-cli/commands/credential-process.md b/docs/gitbook/weep-cli/commands/credential-process.md
@@ -4,6 +4,8 @@ description: Source Credentials from Weep automatically with Credential Process
 
 # Credential Process
 
+AWS SDKs have the ability to source credentials from an external process by specifying a command in your AWS config file. You can read more about this feature in the [AWS docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html).
+
 {% hint style="success" %}
 Read about [AWS configuration settings and precedence](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence) for information about precedence of credential sources.
 {% endhint %}
@@ -21,28 +23,31 @@ credential_process = weep credential_process consoleme_oss_2_test_admin
 credential_process = weep credential_process test_account_user
 ```
 
-Then just run your application or AWS cli command with the appropriate `AWS_PROFILE` environment variable set:
+Then just run your application or AWS CLI command with the appropriate profile:
 
 ```bash
 AWS_PROFILE=test_account_user aws sts get-caller-identity
-```
 
-If you’re using the AWS cli, you can also pass `--profile` like this:
-
-```bash
-aws sts get-caller-identity --profile test_account_user
+# you can also use the --profile flag
+aws --profile test_account_user sts get-caller-identity
 ```
 
-You can generate your `~/.aws/config` file with all of your eligible roles with the following command:
+Profiles can also be set in AWS SDKs. For example in `boto3`:
 
-```bash
-weep generate_credential_process_config
+```python
+import boto3
+
+session = boto3.Session(profile_name="test_account_user")
+client = session.client("sts")
+print(client.get_caller_identity())
 ```
 
 ## Generating Credential Process Commands
 
+Weep can automatically update your AWS config file with profiles for each of your available roles. These profiles are named with the full ARN of the role.
+
 {% hint style="danger" %}
-AWS SDKs appear to be analyzing your ~/.aws/config file on each API call. This could drastically slow you down if your ~/.aws/config file is too large. We strongly recommend using Weep's ECS credential provider to avoid this issue.
+AWS SDKs appear to be analyzing your `~/.aws/config` file on each API call. This could drastically slow you down if your the file is too large.
 {% endhint %}
 
 ```bash

diff --git a/docs/gitbook/weep-cli/commands/credential-provider.md b/docs/gitbook/weep-cli/commands/credential-provider.md
@@ -1,8 +1,12 @@
-# Credential Provider
+---
+description: >-
+ Sourcing Credentials from Weep Automatically with the ECS Credential Provider
+ feature
+---
 
-### Sourcing Credentials from Weep Automatically with the ECS Credential Provider feature
+# Credential Provider
 
-Weep supports emulating the ECS credential provider to provide credentials to your AWS SDK. This is the recommended way to use Weep for the best experience.
+Weep supports emulating the [ECS credential provider](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/EC2ContainerCredentialsProviderWrapper.html) to provide credentials to your AWS SDK. This is the recommended way to use Weep for the best experience.
 
 This solution can be minimally configured by setting the `AWS_CONTAINER_CREDENTIALS_FULL_URI` environment variable for your shell or process. There's no need for iptables or routing rules with this approach, and each different shell or process can use weep to request credentials for different roles. Weep will cache the credentials you request in-memory, and will refresh them on-demand when they are within 10 minutes of expiring.
 

diff --git a/docs/gitbook/weep-cli/commands/metadata-service.md b/docs/gitbook/weep-cli/commands/metadata-service.md
@@ -4,18 +4,16 @@ description: Start a metadata service hosting STS credentials for your role requ
 
 # Metadata Service
 
+The Weep metadata service command starts an HTTP server that emulates the [EC2 Instance Metadata Service \(IMDS\)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html). When using this feature, credentials are automatically refreshed by making more calls to the service.
+
 {% hint style="warning" %}
-You must NOT have a shared credentials file \(`~/.aws/credentials`\) when running the metadata service or your AWS SDK will favor that first. You should also not have environment variables set for `AWS_ACCESS_KEY`. These checks will come in a future update. See the [AWS Credential Provider Chain](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default) for more details.
+AWS SDKs expect IMDS to be served at `http://169.254.169.254`. You will need to set up routing for this functionality to work. Instructions can be found in [Advanced Configuration](../advanced-configuration/#setup-routing-for-metadata-proxy).
 {% endhint %}
 
 {% hint style="success" %}
 Read about [AWS configuration settings and precedence](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence) for information about precedence of credential sources.
 {% endhint %}
 
-{% hint style="info" %}
-You will need to set up routing. Instructions can be found in [Advanced Configuration](../advanced-configuration/#setup-routing-for-metadata-proxy).
-{% endhint %}
-
 ```bash
 weep metadata arn:aws:iam::012345678901:role/coolApp
 INFO[0000] Starting weep meta-data service...