add support for a system-wide /etc/aws/config

[pmoody-]

(I initially opened this against awscli but was told this would be an sdk-wide change so I should open it here)

at $job, we use identity center with our aws accounts. we don't have hundreds, but we have enough that trying to manage the roles by hand is impossible. we manage the accounts and the roles assigned to each account centrally and I would like to be able to push a fully generated config file to each managed machine (employee laptop). Since we're using identity center, having the configuration doesn't get you access to a given account/role, it's being a member of the right group. So a centrally managing this file makes my life, and the lives of everyone at work, a little easier.

For every account we might have three basic roles that look like:

[profile prod-readonly]
sso_start_url = https://foo.awsapps.com/start
sso_region = us-west-2
sso_account_id = 111122223333
sso_role_name = readonly

[profile prod-eng]
sso_start_url = https://foo.awsapps.com/start
sso_region = us-west-2
sso_account_id = 111122223333
sso_role_name = eng

[profile prod-admin]
sso_start_url = https://foo.awsapps.com/start
sso_region = us-west-2
sso_account_id = 111122223333
sso_role_name = admin

and some accounts have lots of profiles with custom roles, eks admin, sales demos, qa, etc. so there are several hundred aws profiles.

Any time an sso_role_name changes, the new role name needs to be reflected in the config file, or the user can't use that role. ie, if we make the eng role eng-without-ec2-in-us-east-1, anyone trying to run --profile prod-eng will be blocked until they update their ~/.aws/config file to say sso_role_name = eng-without-ec2-in-us-east-1.

In a world with a system-wide configuration, I can use machine management (kandji, puppet, ansible, whatever) to push the updated configuration file out to everyone's machine automatically. I could also use the same machine management to push out a ~/.aws/config, but that would stomp on any personal customization's the users have made. that would make quinnypig's life much worse.

I believe this as similar but different to #9036. Where as he has a ridiculously large set of personal settings that he'd like to be able to organize outside of a monolithic ~/.aws/config, I have a group of centrally managed settings I would like to automatically configure for my users.

The centrally managed system-wide settings vs personal settings is a well understood paradigm, with personal settings taking precedence over system wide settings. These two features could definitely co-exist and they do for things like ssh(1) at least on debian (https://manpages.debian.org/unstable/openssh-client/ssh_config.5.en.html).

Please let me know if you have any questions.

[carlfischerjba]

We could use this feature but are more interested in credentials than config. We have just a couple of shared credentials that we want all users of our shared Linux boxes to be able to use from their accounts without any individual users needing to know about them and with a single place for admins to update them if needed. The users would only need to know which profile name to use for each situation.

upload_stuff_to_s3.py --input myfolder/ --output s3://bucket/path --profile clientA
upload_stuff_to_s3.py --input otherfolder/ --output s3://differentbucket/differentpath --profile clientB

[RyanFitzSimmonsAK]

Transferring issue back to original repository for tracking going forward.