Skip to content

Improve AWS credentials flow with entitlement IDs and step-aware polling#138

Merged
afalahi merged 1 commit intomainfrom
fix/aws-setup-entitlement-ids
Apr 3, 2026
Merged

Improve AWS credentials flow with entitlement IDs and step-aware polling#138
afalahi merged 1 commit intomainfrom
fix/aws-setup-entitlement-ids

Conversation

@afalahi
Copy link
Copy Markdown
Contributor

@afalahi afalahi commented Apr 3, 2026
edited
Loading

Summary

  • Store cone_app_id and cone_entitlement_id in AWS profiles so credentials can check grants directly without relying on aliases
  • Pre-check for request forms before submitting — directs user to cone get if custom fields are required
  • Check policy step during polling to give accurate feedback (approval needed, denied, provisioning) instead of generic timeout messages
  • Handle 409 duplicate task errors by extracting and displaying the existing task number
  • Retry credential fetch on ForbiddenException while AWS permission propagates after grant
  • Display numeric task IDs in all user-facing messages

Example outputs

Auto-approved:

No active grant for "production-admin" — submitting access request...
Access request submitted (task: 1234)
..
Access granted!

Requires approval:

No active grant for "production-admin" — submitting access request...
Access request submitted (task: 1234)
.
Request submitted for "production-admin" but requires approval.
Check status: cone task get 1234
Once approved, retry the command.

Has form fields:

No active grant for "production-admin". This entitlement requires a request form — request access with:
  cone get --app-id X --entitlement-id Y

Duplicate request:

A pending request already exists for "production-admin".
Check status: cone task get 1234
Once resolved, retry the command.

Test plan

  • Auto-approved entitlement returns credentials
  • Entitlement requiring approval shows task number and stops polling immediately
  • Entitlement with form fields never submits, directs to cone get
  • Duplicate request shows existing task number
  • Denied request reports denied
  • AWS permission propagation delay retries until credentials work

@afalahi afalahi force-pushed the fix/aws-setup-entitlement-ids branch 5 times, most recently from 688dacd to c78852e Compare April 3, 2026 16:44
@afalahi
feat: add cone aws commands with smart access request flow
e1ad49f 
Add `cone aws setup` to create AWS CLI profiles from ConductorOne
permission sets, and `cone aws credentials` for transparent credential
fetching with automatic access requests.

Key behaviors:
- Store entitlement/app IDs in profiles for direct grant lookup
- Pre-check for request forms before submitting
- Step-aware polling: detect approval needed, denied, provisioning
- Handle duplicate tasks with existing task number
- Retry credential fetch while AWS permission propagates
- Display numeric task IDs in all messages
@afalahi afalahi force-pushed the fix/aws-setup-entitlement-ids branch from c78852e to e1ad49f Compare April 3, 2026 16:47
@afalahi afalahi enabled auto-merge (squash) April 3, 2026 16:49
@afalahi afalahi merged commit 56e8508 into main Apr 3, 2026
2 checks passed
@afalahi afalahi deleted the fix/aws-setup-entitlement-ids branch April 3, 2026 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robert-chiniquy robert-chiniquy robert-chiniquy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@afalahi @robert-chiniquy