Create sessions in IMDS response for static keypair profiles

[ravenium]

When using imds with a static AWS keypair, the aws cli doesn't understand what to do with it when it appears via the metadata service. For example, let's say you have a static key ID/secret in a profile in aws-vault and use it to launch the credential server like so:

aws-vault exec --no-session myprofile -- ./imds-credential-server

This normally would say "directly pass the keypair so I don't have an expiration".

The app itself doesn't complain because it can read the Principal just fine, but when it returns the keypair in metadata, sdk/cli clients return "no credentials found" because they don't expect to see anything other than a valid session in there.

This change (apologies for my mediocre Go) looks to see if there's a sessiontoken missing and if so, spins up a session to get one.

Why do this, you might ask, vs just having aws/aws-vault handle session generation, e.g.:

aws-vault exec myprofile -- ./imds-credential-server
or
./imds-credential-server --profile myprofile
or otherwise?

The basic reason is that while I want to keep credentials off disk (and out of the .aws/credentials file!), I can't eliminate the need for longer lived keypairs just yet. This means storing credentials in things like aws-vault and 1Password.

1Password in particular is of note because it leverages credential_helper, and unlike aws-vault it typically gets configured for static credentials.

Let me know what you think!

[benkehoe]

I just wanted to say I see this, it's useful and needed, but I won't get to it until after re:Invent. And I'll need to do the same thing for aws-export-credentials as well.

[benkehoe]

Finally getting around to this 😅. This looks good, but I've got some organizational refactoring for it, could I push that to your branch? Also, would you like to create a CONTRIBUTORS.md like this and add me and you to it?

[ravenium]

Happy to help - let me know if that works.

[benkehoe]

This is great, thanks!