AssumeRoleOptions does not have TokenCode member

[NukaCody]

Confirm by changing [ ] to [x] below to ensure that it's a bug:

• I've gone though the API reference
• I've checked AWS Forums and StackOverflow for answers
• I've searched for previous similar issues and didn't find any solution

Describe the bug

AssumeRoleOptions does not have a TokenCode member despite documentation using it as an example for static MFA token

Version of AWS SDK for Go?

1.8.0

Version of Go (go version)?

go version go1.16.6 darwin/amd64

To Reproduce (observed behavior)
Steps to reproduce the behavior (please share code or minimal repo)

	tokenCode, _ = stscreds.StdinTokenProvider()

    // Below would be in goroutine
	creds := stscreds.NewAssumeRoleProvider(stsc, role, func(aro *stscreds.AssumeRoleOptions) {
		aro.SerialNumber = aws.String("arn:aws:iam::*:mfa/user")
		aro.TokenCode = aws.String(tokenCode)
	})

Expected behavior
A clear and concise description of what you expected to happen.

Get MFA token at the entry point of the app, then spin up hundreds of goroutines that assume roles into different accounts that have MFA required using the static token code. Moving StdinTokenProvider inside of the goroutine won't be goroutine safe nor scalable

[skmcgrail]

Thanks for raising this documentation issue, the correct structure field to use is TokenProvider which takes a func() (string, error) that returns a token to be used.

https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials/stscreds#hdr-Assume_Role_with_MFA_Token_Provider has a correct example usage for this.

We will work on getting this addressed and updated.

[NukaCody]

I'm not sure if it's purely documentation. There's still a strong use case for static TokenCode.

It looks like TokenProvider opens up STDIN to read a token, but if you were to run this is thousands of go routines (at least till that MFA code expire). It wouldn't be a scalable method. Because you would have to enter the MFA code thousands of times

[jasdel]

Thanks for the update @NukaCody. We'll work to get the documentation for this updated.

The StdinTokenProvider is a basic implementation of the TokenProvider provided by the SDK for reading token from stdin, but it is very limited and is not configurable.

Instead of using the SDK provided StdinTokenProvider you could provide a custom function that returns the static code.

cfg, err := config.LoadDefaultConfig(context.TODO())
if err != nil {
	panic(err)
}

// Use a custom function to provide the token for assume role credential provider.
staticTokenProvider := func() (string, error) {
     return "someCode", nil
}

// Create the credentials from AssumeRoleProvider to assume the role
// referenced by the "myRoleARN" ARN using the MFA token code provided.
creds := stscreds.NewAssumeRoleProvider(sts.NewFromConfig(cfg), "myRoleArn", func(o *stscreds.AssumeRoleOptions) {
	o.SerialNumber = aws.String("myTokenSerialNumber")
	o.TokenProvider = staticTokenProvider
})

cfg.Credentials = aws.NewCredentialsCache(creds)

// Create service client value configured for credentials
// from assumed role.
svc := s3.NewFromConfig(cfg)

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.