Skip to content

feat(libstore): add AWS SSO support for S3 authentication #14645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

feat(libstore): add AWS SSO support for S3 authentication #14645

wants to merge 7 commits into from

Conversation

@lovesegfault
Copy link
Member

@lovesegfault lovesegfault commented Nov 25, 2025

Motivation

  • libstore: add AWS SSO support for S3 authentication
  • refactor(libstore/aws-creds): improve error handling and logging
  • chore(libstore/aws-creds): remove unused includes
  • test(s3-binary-cache-store): add profile support for setup_for_s3
  • test(s3-binary-cache-store): clear credential cache between tests
  • test(s3-binary-cache-store): test profiles and provider chain

Context

Fixes: #14476

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

xokdvium
xokdvium reviewed Nov 25, 2025
View reviewed changes
Mic92 and others added 7 commits November 25, 2025 17:34
@Mic92 @lovesegfault
libstore: add AWS SSO support for S3 authentication
c63600d 
This enables seamless AWS SSO authentication for S3 binary caches
without requiring users to manually export credentials.

This adds SSO support by calling aws_credentials_provider_new_sso() from
the C library directly. It builds a custom credential chain: Env → SSO →
Profile → IMDS

The SSO provider requires a TLS context for HTTPS connections to SSO
endpoints, which is created once and shared across all providers.
@lovesegfault
refactor(libstore/aws-creds): improve error handling and logging
f8034e6 
Add validation for TLS context and client bootstrap initialization,
with appropriate error messages when these fail. The TLS context failure
is now a warning that gracefully disables SSO, while bootstrap failure
throws since it's required for all providers.
@lovesegfault
fix(libstore/aws-creds): add STS support for default profile
078ef24 
The default (empty) profile case was using CreateCredentialsProviderChainDefault
which didn't properly support role_arn/source_profile based role assumption via
STS because TLS context wasn't being passed to the Profile provider.

This change unifies the credential chain for all profiles (default and named),
ensuring:
- Consistent behavior between default and named profiles
- Proper TLS context is passed for STS operations
- SSO support works for both cases
@lovesegfault
chore(libstore/aws-creds): remove unused includes
35f59f1
@lovesegfault
test(s3-binary-cache-store): add profile support for setup_for_s3
1a2e90b
@lovesegfault
test(s3-binary-cache-store): clear credential cache between tests
c1a1b43
@lovesegfault
test(s3-binary-cache-store): test profiles and provider chain
2e45b88
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314 Ericson2314 is a code owner

@edolstra edolstra Awaiting requested review from edolstra edolstra is a code owner

@Mic92 Mic92 Awaiting requested review from Mic92

@xokdvium xokdvium Awaiting requested review from xokdvium

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Re-add support for STS credential provider for S3

3 participants

@lovesegfault @xokdvium @Mic92