Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for refreshable AWS SSO tokens #616

Merged
merged 3 commits into from Mar 5, 2024
Merged

Add support for refreshable AWS SSO tokens #616

merged 3 commits into from Mar 5, 2024

Conversation

chrnorm
Copy link
Contributor

@chrnorm chrnorm commented Mar 1, 2024
edited

What changed?

This PR adds opt-in support for the new IAM Identity Center refreshable token login flow. You can opt-in to using refreshable tokens by configuring your AWS profiles to include granted_sso_registration_scopes as follows:

[profile example]
granted_sso_account_id = 123456789012
granted_sso_role_name = AWSAdministratorAccess
+ granted_sso_registration_scopes = sso:account:access
granted_sso_start_url = https://commonfate.awsapps.com/start
granted_sso_region = ap-southeast-2
credential_process         = granted credential-process --profile example

At the moment, support for SSO registration scopes has been implemented only for profiles using the Granted Credential Process configuration.

Some background here; the native AWS CLI way of configuring this is by using the sso-session entry as follows:

[profile AWSAdministratorAccess-123456789012]
sso_session = commonfate
sso_account_id = 123456789012
sso_role_name = AWSAdministratorAccess
region = ap-southeast-2

[sso-session commonfate]
sso_start_url = https://example.awsapps.com/start
sso_region = ap-southeast-2
sso_registration_scopes = sso:account:access

I would like Granted to support this configuration too, however the AWS v2 Go SDK does not yet support reading sso_registration_scopes. So the initial implementation here just uses granted_sso_registration_scopes.

In future it's likely we'll make the refreshable token flow the default, but for now this behaviour is opt-in.

Additionally, this PR tidies up some of our AWS SSO login flow code. In the Granted codebase the cfaws package has grown to be quite large. I've moved the SSO login flow code out of this package into a new idclogin package.

Why?

Fixes #615.

How did you test it?

Tested and verified on MacOS by manually logging in a few times to verify the functionality was correct. I tested the refresh flow by manipulating the Expiry value of the token inside my keychain.

I also tested the case where the refresh token is invalid, by overriding the refreshToken value inside my keychain and overriding the Expiry to force a refresh. The behaviour here is that an error is logged to stderr and the user is prompted to reauthenticate, which is what we want.

Given that no platform-specific keychain functionality has been modified I expect this to work across other OSes too.

Potential risks

  • May impact SSO login flow

chrnorm
chrnorm commented Mar 1, 2024
View reviewed changes
go.mod Outdated
@@ -18,9 +18,11 @@ require (
)

require (
github.com/alessio/shellescape v1.4.2
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I ran go mod tidy and cleaned up go.mod and go.sum

chrnorm
chrnorm commented Mar 1, 2024
View reviewed changes
pkg/securestorage/sso_token_storage.go
}

// Attempts to store the token, any errors will be logged to debug logging
func (s *SSOTokensSecureStorage) StoreSSOToken(profileKey string, ssoTokenValue SSOToken) {
err := s.SecureStorage.Store(profileKey, ssoTokenValue)
if err != nil {
clio.Debugf("%s\n", errors.Wrap(err, "writing sso token to credentials cache").Error())
clio.Debugf("writing sso token to credentials cache: %s", err.Error())
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've fixed the syntax up here - the previous syntax was difficult to read

@shwethaumashanker shwethaumashanker merged commit 3ae786e into main Mar 5, 2024
3 checks passed
@shwethaumashanker shwethaumashanker deleted the refreshable-aws-sso-tokens branch March 5, 2024 20:33
@chrnorm chrnorm mentioned this pull request Mar 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shwethaumashanker shwethaumashanker shwethaumashanker approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support refreshable AWS SSO sessions
2 participants
@chrnorm @shwethaumashanker