config: Enable SSO provider to be mixed with other credential provide…

…rs (#1255)

.changelog/016af652b95e472f960ded9a2e976e11.json

@@ -0,0 +1,8 @@
+{
+    "id": "016af652-b95e-472f-960d-ed9a2e976e11",
+    "type": "bugfix",
+    "description": "`internal/ini`: Disable normalization of config profile names",
+    "modules": [
+        "."
+    ]
+}

.changelog/9eda03d68f1849a981362947a1a2941f.json

@@ -0,0 +1,8 @@
+{
+    "id": "9eda03d6-8f18-49a9-8136-2947a1a2941f",
+    "type": "feature",
+    "description": "SSO credentials can now be defined alongside other credential providers within the same configuration profile.",
+    "modules": [
+        "config"
+    ]
+}

.changelog/f2c891806ed64485bdbee78723db3a88.json

@@ -0,0 +1,8 @@
+{
+    "id": "f2c89180-6ed6-4485-bdbe-e78723db3a88",
+    "type": "bugfix",
+    "description": "Fixed a bug that caused configuration profile names to be incorrectly normalized, which could cause incorrect profile loading in certain cases. ([#1204](https://github.com/aws/aws-sdk-go-v2/issues/1204))",
+    "modules": [
+        "config"
+    ]
+}

config/resolve_credentials.go

@@ -123,21 +123,21 @@ func resolveCredsFromProfile(ctx context.Context, cfg *aws.Config, envConfig *En
 			Value: sharedConfig.Credentials,
 		}
 
-	case sharedConfig.hasSSOConfiguration():
-		err = resolveSSOCredentials(ctx, cfg, sharedConfig, configs)
-
-	case len(sharedConfig.CredentialProcess) != 0:
-		// Get credentials from CredentialProcess
-		err = processCredentials(ctx, cfg, sharedConfig, configs)
-
 	case len(sharedConfig.CredentialSource) != 0:
 		err = resolveCredsFromSource(ctx, cfg, envConfig, sharedConfig, configs)
 
 	case len(sharedConfig.WebIdentityTokenFile) != 0:
 		// Credentials from Assume Web Identity token require an IAM Role, and
 		// that roll will be assumed. May be wrapped with another assume role
 		// via SourceProfile.
-		err = assumeWebIdentity(ctx, cfg, sharedConfig.WebIdentityTokenFile, sharedConfig.RoleARN, sharedConfig.RoleSessionName, configs)
+		return assumeWebIdentity(ctx, cfg, sharedConfig.WebIdentityTokenFile, sharedConfig.RoleARN, sharedConfig.RoleSessionName, configs)
+
+	case sharedConfig.hasSSOConfiguration():
+		err = resolveSSOCredentials(ctx, cfg, sharedConfig, configs)
+
+	case len(sharedConfig.CredentialProcess) != 0:
+		// Get credentials from CredentialProcess
+		err = processCredentials(ctx, cfg, sharedConfig, configs)
 
 	case len(envConfig.ContainerCredentialsEndpoint) != 0:
 		err = resolveLocalHTTPCredProvider(ctx, cfg, envConfig.ContainerCredentialsEndpoint, envConfig.ContainerAuthorizationToken, configs)

config/resolve_credentials_test.go

@@ -19,6 +19,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/sso"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"github.com/aws/smithy-go/middleware"
+	smithytime "github.com/aws/smithy-go/time"
 )
 
 func swapECSContainerURI(path string) func() {
@@ -61,11 +62,29 @@ func setupCredentialsEndpoints(t *testing.T) (aws.EndpointResolver, func()) {
 
 	stsServer := httptest.NewServer(http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
-			w.Write([]byte(fmt.Sprintf(
-				assumeRoleRespMsg,
-				time.Now().
-					Add(15*time.Minute).
-					Format("2006-01-02T15:04:05Z"))))
+			if err := r.ParseForm(); err != nil {
+				w.WriteHeader(500)
+				return
+			}
+
+			form := r.Form
+
+			switch form.Get("Action") {
+			case "AssumeRole":
+				w.Write([]byte(fmt.Sprintf(
+					assumeRoleRespMsg,
+					smithytime.FormatDateTime(time.Now().
+						Add(15*time.Minute)))))
+				return
+			case "AssumeRoleWithWebIdentity":
+				w.Write([]byte(fmt.Sprintf(assumeRoleWithWebIdentityResponse,
+					smithytime.FormatDateTime(time.Now().
+						Add(15*time.Minute)))))
+				return
+			default:
+				w.WriteHeader(404)
+				return
+			}
 		}))
 
 	ssoServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -310,6 +329,27 @@ func TestSharedConfigCredentialSource(t *testing.T) {
 				return func() {}, nil
 			},
 		},
+		"sso mixed with credential process provider": {
+			envProfile:           "sso_mixed_credproc",
+			expectedAccessKey:    "SSO_AKID",
+			expectedSecretKey:    "SSO_SECRET_KEY",
+			expectedSessionToken: "SSO_SESSION_TOKEN",
+			init: func() (func(), error) {
+				return ssoTestSetup()
+			},
+		},
+		"sso mixed with web identity token provider": {
+			envProfile:           "sso_mixed_webident",
+			expectedAccessKey:    "WEB_IDENTITY_AKID",
+			expectedSecretKey:    "WEB_IDENTITY_SECRET",
+			expectedSessionToken: "WEB_IDENTITY_SESSION_TOKEN",
+		},
+		"web identity": {
+			envProfile:           "webident",
+			expectedAccessKey:    "WEB_IDENTITY_AKID",
+			expectedSecretKey:    "WEB_IDENTITY_SECRET",
+			expectedSessionToken: "WEB_IDENTITY_SESSION_TOKEN",
+		},
 	}
 
 	for name, c := range cases {

config/shared_config.go

@@ -320,9 +320,6 @@ func LoadSharedConfigProfile(ctx context.Context, profile string, optFns ...func
 		return SharedConfig{}, err
 	}
 
-	// profile should be lower-cased to standardize
-	profile = strings.ToLower(profile)
-
 	cfg := SharedConfig{}
 	profiles := map[string]struct{}{}
 	if err = cfg.setFromIniSections(profiles, profile, configSections, option.Logger); err != nil {
@@ -915,7 +912,6 @@ func (c *SharedConfig) validateCredentialType() error {
 		len(c.CredentialSource) != 0,
 		len(c.CredentialProcess) != 0,
 		len(c.WebIdentityTokenFile) != 0,
-		c.hasSSOConfiguration(),
 	) {
 		return fmt.Errorf("only one credential type may be specified per profile: source profile, credential source, credential process, web identity token, or sso")
 	}
@@ -993,6 +989,10 @@ func (c *SharedConfig) clearCredentialOptions() {
 	c.CredentialProcess = ""
 	c.WebIdentityTokenFile = ""
 	c.Credentials = aws.Credentials{}
+	c.SSOAccountID = ""
+	c.SSORegion = ""
+	c.SSORoleName = ""
+	c.SSOStartURL = ""
 }
 
 // SharedConfigLoadError is an error for the shared config file failed to load.