Replace graphic with ASCII.

While the png graphic was pretty and all, the ASCII art based graphic has one big advatage: it makes the README self-contained. And this is actually an issue as in the distributeion step (make dist) the README is copied along the LICENSE and binary files. So we would need to either copy the png file, too, or replace it with something that is not depending on an external file. I decided for the latter option.
mbrtargeting · Mar 6, 2020 · c37d066 · c37d066
1 parent 9260b30
commit c37d066
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -11,9 +11,34 @@ client. If the federation between the AWS account and the IdP is established, an
 registered in the IdP, you can get AWS temporary credentials via standard browser login. It means you don't need to pass
 your credential of the IdP to this tool.
 
-Please refer the following diagrams how it works.
+Please refer to the following diagrams on how it works.
+Steps (1) and (2) are slightly simplified as there is more going on but it should give an overview.
 
-![flow with oidc](flow-with-oidc.png)
+```
+ (1) authenticate user [username, password] +---------------+
+ +------------------------------------------------------------>| |
+ | | OIDC Provider |
+ | +------------------------------------------------------| |
+ | | (2) authentication successful [id_token] +---------------+
+ | | |
+ | v |
++--------------+ |
+| | trust OIDC provider |
+| aws-cli-oidc | |
+| | |
++--------------+ AWS |
+ ^ | +----------------------------------------|-----+
+ | | (3) assume role A | +---------+ +--------+--------------+ |
+ | | [id_token] | | STS | -| Role A | Trust Policy | |
+ | +------------------------->| | -/ +--------+--------------+ |
+ | | | | --/ . |
+ | | | |/ . |
+ | | | | . |
+ +---------------------------------| | +--------+--------------+ |
+ (4) temporary AWS credential | | | | Role Z | Trust Policy | |
+ [aws_key, aws_secret] | +---------+ +--------+--------------+ |
+ +----------------------------------------------+
+```
 
 ## Prerequisite AWS and OIDC provider settings before using this tool
 
@@ -88,9 +113,9 @@ You can also use this tool directly as a credential process.
 For this, add the following lines to your `.aws/credentials` file.
 ```
 [my-profile]
-credential_process=aws-cli-oidc get-cred google
+credential_process=aws-cli-oidc get-cred google arn:aws:iam::123443211234:role/my-role
 ```
-and make sure that the `aws-cli-oidc` is on your `PATH` or, alternatively, provide the full path to the binary in the
+And make sure that the `aws-cli-oidc` is on your `PATH` or, alternatively, provide the full path to the binary in the
 configuration above.
 
 

diff --git a/flow-with-oidc.png b/flow-with-oidc.png