the aws cli get-session-token can generate the keys for short-lived session.
I'd like something similar in an s3guard command, e.g. "create-role-keys", which would take the existing (full) credentials and optionally:
- ARN of role to adopt
- restrictions as path to a JSON file or just stdin
- output format
- whether to use a per-bucket binding for the credentials in the property names generated
- MFA secrets
- A JCEKS file (with chosen passwd? For better hive use: append/replace entries in existing file); saved through the hadoop FS APIs to HDFS, file:// or elsewhere
- hadoop config XML
- spark properties
The goal here is to have a workflow where you can generate role credentials to use for a limited time, store them in a JCEKS file and then share them in your jobs. This can be for: Jenkins, Oozie, build files, ..