#geodesic (2024-05)

I love this question. We have pondered and debated exactly these 3 options. So devcontainers is trying to achieve more or less the same thing that we set out to do with geodesic. That is geodesic predates devcontainers. We still use geodesic daily and have been slow to adopt devcontainers.

Devcontainers are optimized for the developer in the IDE. It’s well supported by vscode, less so by other IDEs.

Geodesic is optimized for the command line. It bind mounts volumes and configurations like the AWS config, to make it feel more natural.

Nix is used by multiple developers on our team. For a hot minute we entertained it, but while very cool and solves the things we want to achieve has a high barrier to entry and steep learning curve.

So why geodesic? It has the best of all 3, and is ultimately flexible to use how ever containers are used. It can be used as a remote shell with something like containerssh, it works seamlessly on the command line, we use it with EKS.

By bind mounting the AWS configs and using Leapp, we have seamless authentication between desktop and container.

gotcha, I do think geodesic is the front runner for me at the moment. I’ll give it a whirl this week

thanks for the info!

Nothing preexisting as far as I know. We have the current AWS profile shown, but you could have any number of active Leapp sessions.

Are you familiar with the leapp-cli? You could list your current sessions like this:

leapp session list --filter="Status=^active"

leapp-cli doesn’t work with WSL, unfortunately. The only workaround suggested - is to symlink your windows .aws to your WSL .aws

I don’t use named profiles in leapp (not sure when I should use them), so my profile is always default.

I made changes to /etc/profile.d/aws.sh to have a variable AWS_LEAPP_PROMPT - and if yes, I generate a profile from the account and role name.

This works for me, but my accounts are hardcoded. Would there be interest in a generic version of this, as a PR to geodesic?

it’s cyan, to show that it is a leapp profile, not a real one

As for leapp-cli - as far as I understand, it communicates to the parent process via shared memory - and I can’t figure out a way to make that work between WSL and Windows.

Another option is to run GUI Leapp from WSL, but for some reason it doesn’t work (but other linux gui apps, even built with electron, are working, so it’s a leapp issue)

for our use-case, we have many profiles - one for every customer. So we set the AWS Profile to best the namespace-identity, and then assume roles across the organization using that centralized identity role

Leapp has had many issues related to Windows unfortunately, with the symlink workaround being the biggest. However, considering that Noovolari announced their end last week, we have been considering alternatives. But we have no concrete plans at the moment

That said, Leapp is supposedly going to continue to be supported by beSharp, so it’s likely premature to make any rash decisions about dropping it. We’ll have to see. Maybe we’ll get some improvements for Windows users

@Mike Crowe I’m curious, why are you not satisfied with aws sso login?

@Jeremy G (Cloud Posse) aws cli stored tokens unencrypted. aws sso login would be fine inside geodesic, but it’s not secure enough for me outside geodesic. I wanted one tool that I could use in both places.

Thanks for letting me know.

aws sso stores temporary tokens, with a configurable lifetime, but typically 4 hours and a max of 8 or 12 hours, I don’t recall. I understand if that is not secure enough for you, but I wanted to point it out for other people reading this thread.

I was following CloudPosse’s best-practice recommendation of using Leapp – which seemed (to me) to be addressing security issues related to the aws cli. I guess I would ask you why geodesic recommends Leapp and not aws sso? I didn’t even consider it because of the docs

We recommend Leapp because it handles authentication via API keys and SAML IdPs as well as AWS SSO in a consistent user interface, and uses a real browser (rather than screen scraping) to perform logins. However, we do not discourage use of aws sso. This is the first I’ve heard of aws-sso-cli.

I like it a lot – developer is very responsive