Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use the SSOTokenProvider in the SSOCredentialProvider #3532

Merged
merged 6 commits into from Nov 7, 2022

Conversation

joviegas
Copy link
Contributor

@joviegas joviegas commented Nov 2, 2022

Motivation and Context

sso-sessions will be defined in a profile. In this case the SSOCredentialProvider should use SSOTokenProvider.

[profile sso-profile]
sso_session = dev
sso_account_id = 012345678901
sso_role_name = SampleRole

[sso-session dev]
sso_region = us-east-1
sso_start_url = https://d-abc123.awsapps.com/start

Profile format

The SSO credential provider MUST support both the profile format defined for the SSO Token Providers
and the legacy profile format defined here.
If either the sso_account_id or sso_role_name configurations values are present the profile MUST be resolved by the SSO credential provider.

Acquiring AWS Credentials

First, the SSOCredentialProvider should acquire a token, either using the SSOTokenProvider or the legacy Access tokens. The token MUST NOT be cached in memory and every attempt to resolve credentials MUST result in reloading the token to ensure the latest token is being used.

Concrete AWS credentials will be retrieved using the SSO data plane service. The SDK client for this service MUST be constructed with the client region as specified in the sso_region profile configuration. The SDK MAY explicitly
specify anonymous credentials or configure the client to be unsigned though this SHOULD NOT be required by the SDK for the client to function.

Modifications

  • Updated the logic for loading SSOCredentialProvider to load when "sso-session" is found in profile.
  • Updated SsoProfileCredentialsProviderFactory to load SdkTokenProvider based on profile properties.
  • If "sso-session" exist the load region from sso-session and SdkTokenProvider as SsoOidcTokenProvider
  • If legacy profiles that is no "sso-session" then load SdkTokenProvider as SsoAccessTokenProvider

Testing

  • Integ testing done with profile mentioned above.
  • Integ testcases could not be checked in since we need the fresh token for every authentication from soooidc service.
  • Added Junits

Screenshots (if appropriate)

screenShot

Types of changes

  • New feature (non-breaking change which adds functionality)

Checklist

  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
  • My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

  • I confirm that this pull request can be released under the Apache 2 license

@joviegas joviegas requested a review from a team as a code owner November 2, 2022 05:13
@joviegas joviegas force-pushed the joviegas/sso_cred_with branch 2 times, most recently from 03daff3 to bb973b7 Compare November 2, 2022 15:44
.changes/next-release/feature-AWSSDKforJavav2-532ae2a.json Outdated Show resolved Hide resolved
pom.xml Outdated
@@ -577,7 +577,7 @@
<includeModules>
<includeModule>annotations</includeModule>
<includeModule>arns</includeModule>
<includeModule>auth</includeModule>
<!-- <includeModule>auth</includeModule>-->
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of excluding the whole module, should we add the offending class to the excludes list to reduce the blast radius in case we forget to revert this?

@sonarcloud
Copy link

sonarcloud bot commented Nov 4, 2022

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 5 Code Smells

59.9% 59.9% Coverage
0.0% 0.0% Duplication

@joviegas joviegas enabled auto-merge (squash) November 7, 2022 17:30
@joviegas joviegas enabled auto-merge (squash) November 7, 2022 17:33
@joviegas joviegas merged commit b74ce8e into master Nov 7, 2022
@joviegas joviegas deleted the joviegas/sso_cred_with branch December 20, 2022 00:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants