elhaz¶

Version: 0.5.2

Maintainers: 61418

What is elhaz?¶

elhaz is a local daemon-backed AWS temporary credential broker, exposed over a Unix socket and controlled via CLI.

Instead of a locally hosted HTTP metadata emulation service (ECS), which is less secure and requires multiple processes for each assumed RoleArn, elhaz runs a single process and serves automatically refreshed temporary AWS credentials on demand.

elhaz caches AWS sessions for however long the daemon is kept alive (or sessions are removed by command), which eliminates redundant session creations and STS calls.

Unix-socket IPC is lightweight and gives a tighter local boundary than HTTP, avoids exposing local credential endpoints over TCP, and allows temporary credentials to live in memory rather than at rest on disk.

Crucially, because elhaz uses boto3-refresh-session as its core dependency for refreshing temporary AWS security credentials, which in turn depends on botocore, elhaz supports IAM Identity Center (SSO) using the AWS CLI.

elhaz makes multi-role local AWS workflows cleaner by combining brokered access, in-memory caching, IAM Identity Center (SSO) support, and host-local IPC into one model.

How do I use elhaz?¶

To install this tool, check the installation guide.

To get started quickly, check the quickstart guide.

To learn critical concepts for using this tool, check the concepts section of the docs.

For technical details, check the CLI docs.

How did elhaz get its name?¶

Initially, the intention was to name this project “assume”. However, that namespace was already taken and, frankly, “assume” is trite.

The algiz rune (also called “elhaz”) is the 15th letter of the Elder Futhark alphabet. Elhaz symbolizes protection and defense, which are fitting themes for a local credential broker. Elhaz, like “sphinx” or “hugo”, is memorable and compact, which makes it a great fit for any CLI tool!