fix(auth): enable AWS SDK SSO credential resolver#87
Merged
bryantbiggs merged 1 commit intomainfrom May 5, 2026
Merged
Conversation
Profile-based credentials backed by AWS IAM Identity Center (SSO) failed with "ProfileFile provider could not be built: This behavior requires following cargo feature(s) enabled: sso." Enable the sso feature on aws-config so the profile resolver can drive the SSO/SSO-OIDC flow against the cached OIDC token under ~/.aws/sso/cache/. aws-sdk-sso pulls sha1 0.10 (RustCrypto v0.10 era) for cache-filename hashing while chacha20/google-cloud-auth already pull v0.11; the four new skip entries in deny.toml mirror the existing pattern. Binary grows ~365 KB (+4.8%, 7.28 MB to 7.63 MB) thanks to LTO+strip. Closes #84
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ssoCargo feature onaws-configso AWS SSO profiles in~/.aws/configresolve correctly via the SDK profile chain.multiple-versionsskips todeny.tomlfor the RustCrypto v0.10-era duplicates (block-buffer,cpufeatures,crypto-common,digest) pulled in transitively byaws-sdk-sso'ssha1 = "0.10"dep.Closes #84.
Why
aws-configgates SSO credential resolution behind a Cargo feature; without it the profile resolver returnsProfileFile provider could not be built: This behavior requires following cargo feature(s) enabled: sso.The user reported failure was anAWS_PROFILEreferencing an SSO session, hitting exactly this path.No code changes — the SDK profile resolver picks up SSO automatically once the feature is compiled in. Users still run
aws sso login(or equivalent) to populate the OIDC token cache; ocync only consumes the cache.Cost evaluation
aws-sdk-sso,aws-sdk-ssooidc,sha1,block-buffer,cpufeatures,crypto-common,digest,generic-array,version_checkSmall delta thanks to release profile (
lto = true,strip = true,codegen-units = 1) — most unreached SDK operations strip out, and the smithy runtime is shared with existingaws-sdk-ecr/aws-sdk-sts.GitHub HEAD of
awslabs/aws-sdk-rust(shaed385962) andsmithy-lang/smithy-rswere both checked — both still pinsha1 = "0.10". No open issue requesting a bump. Pinning to a newer SHA does not avoid the duplicates; thedeny.tomlskips are the right answer (matches the existing 6-entry pattern).Test plan
cargo fmt --checkcargo clippy --workspace --all-targets -- -D warningscargo test(276 passed, 1 ignored)cargo deny check(advisories ok, bans ok, licenses ok, sources ok)npm run --prefix docs buildchain=ProfileChain { base: Sso { ... } }log line is the exact code path now enabled)