Skip to content

feat(rt): standalone sso credentials provider #462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Dec 10, 2021
Merged

feat(rt): standalone sso credentials provider #462

merged 7 commits into from
Dec 10, 2021

Conversation

@aajtodd
Copy link
Contributor

@aajtodd aajtodd commented Dec 8, 2021
edited
Loading

Issue #

#252

Description of changes

  • Adds a projection to aws-config to embed a custom SSO service (trimmed down with only the required operation to implement the provider)
  • Implements a standalone SSO credentials provider (based on the generated/embedded service client)
  • Refactor CachedCredentialsProvider to be implemented in Kotlin
    • Existing issues would prevent the caching provider from working with a pure Kotlin credentials provider and without it users are going to hit the disk every time the provider is asked for credentials (as required by spec).

IMPORTANT: This provider is NOT yet integrated into the default chain or the profile provider. You must instantiate it directly to use it. See #461

e.g.

fun main():Unit = runBlocking {

    val ssoProvider = SsoCredentialsProvider(
        accountId = "<your-account-id>",
        roleName = "<your-role-to-assume>",
        startUrl = "<your-portal-start-url>",
        ssoRegion = "<region-sso-is-hosted-in>"
    )
    val provider = CachedCredentialsProvider(ssoProvider)
    S3Client {
        region = "us-east-2"
        credentialsProvider = provider
    }.use { client ->

        println("buckets:")
        client.listBuckets {  }.buckets?.forEach {
            println("$it")
        }
    }
}

Tested by setting up SSO per the directions, using the CLI to configure/initiate the login flow, and testing against STS GetCallerIdentity.
* NOTE: The AWS SSO service can act as an identity provider so there is no need to setup an external one. Just turn on AWS Organizations, enable SSO, add a user, and it should be usable.

fun main():Unit = runBlocking {

    val ssoProvider = SsoCredentialsProvider(
        accountId = "<your-account-id>",
        roleName = "<your-role-to-assume>",
        startUrl = "<your-portal-start-url>",
        ssoRegion = "<region-sso-is-hosted-in>"
    )
    val provider = CachedCredentialsProvider(ssoProvider)
    StsClient{
        region = "us-east-2"
        credentialsProvider = provider
    }.use { client ->
        val resp = client.getCallerIdentity {}

        println("Account: ${resp.account}")
        println("UserID: ${resp.userId}")
        println("ARN: ${resp.arn}")
    }
}

Should see the SSO role and user in the output.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@aajtodd aajtodd requested a review from a team as a code owner December 8, 2021 17:38
@aajtodd aajtodd mentioned this pull request Dec 8, 2021
Merged
@aajtodd aajtodd requested review from ianbotsf and kggilmer December 8, 2021 17:41
@github-actions
Copy link

github-actions bot commented Dec 8, 2021

A new generated diff is ready to view: __generated-main...__generated-feat-sso-provider

@aajtodd aajtodd changed the base branch from main to feat-cred-providers December 10, 2021 19:18
@github-actions
Copy link

github-actions bot commented Dec 10, 2021

A new generated diff is ready to view: __generated-main...__generated-feat-sso-provider

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 10, 2021

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 3 Code Smells

No Coverage information No Coverage information
14.4% 14.4% Duplication

@aajtodd aajtodd merged commit 864b3e8 into feat-cred-providers Dec 10, 2021
aajtodd added a commit that referenced this pull request Feb 17, 2022
@aajtodd @ianbotsf
feat(rt)!: add sso credential provider; make all providers kmp compat…
ba47048 
…ible (#469)

Refactor credential providers to remove CRT dependency and make them KMP compatible. Added SSO provider to default chain. Lots of misc cleanup and improvements.


* feat(rt): standalone sso credentials provider (#462)
* refactor(rt)!: generated sts and sts web identity credential providers (#470)
* refactor(rt)!: implement kmp ecs provider (#475)
* feat(rt)!: implement kmp profile credentials provider (#478)
* feat(rt)!: kmp default credentials provider chain (#491)
* fix: work around machine-specific Gradle bug with aws-config variants (#496)
* fix: credentials provider ownership (#498)

Co-authored-by: Ian Botsford <83236726+ianbotsf@users.noreply.github.com>
@aajtodd aajtodd deleted the feat-sso-provider branch February 17, 2022 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ianbotsf ianbotsf ianbotsf approved these changes

@kggilmer kggilmer Awaiting requested review from kggilmer

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aajtodd @ianbotsf