A Clojure library which adds support for AWS SSO to amazonica.
This is done by shimming software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider from the AWS SDK V2 to com.amazonaws.auth.AWSCredentialsProvider.
This approach was taken from this github issue response: aws/aws-sdk-java#803 (comment).
Add the libary to your project from clojars:
[com.signal-ai/amazonica-aws-sso "<version>"]The library requires amazonica to be available to your project.
(require '[signal.amazonica-aws-sso :as amazonica-aws-sso]
'[amazonica.aws.securitytoken :as sts])
;; Use SSO credentials for a single call
(amazonica-aws-sso/with-sso-credential
(sts/get-caller-identity))
;; Use SSO credentials for all subsequent calls
(amazonica-aws-sso/init!)
(sts/get-caller-identity)
;; Reset amazonica to use it's default AWS credentials provider
(amazonica-aws-sso/reset!)Amazonica's kinesis worker (amazonica.aws.kinesis/worker) does not currently use it's normal credentials resolution (mcohen01/amazonica#471 (comment)).
As such, you need to explicitly pass in a credentials provider for it to work with SSO profiles:
(require '[signal.amazonica-aws-sso :as amazonica-aws-sso]
'[amazonica.aws.kinesis :as kinesis])
(kinesis/worker :credentials (amazonica-aws-sso/default-credentials-provider))This is a pain to test on CI as it requires an AWS Profile to be set up using SSO, and no other providers in the AWS credentials provider chain to be configured. As such, it's recommended to just test locally.
make testthis assumes you have a valid AWS Credentials profile set up using SSO, e.g. in ~/.aws/config:
[profile test-sso]
sso_start_url = ...
sso_region = eu-west-1
sso_registration_scopes = sso:account:access
sso_account_id = ...
sso_role_name = ...
region = eu-west-1
[profile test-sso.Access]
sso_start_url = ...
sso_region = eu-west-1
sso_account_name = test-sso
sso_account_id = ...
sso_role_name = ...
region = eu-west-1
credential_process = aws-sso-util credential-process --profile test-sso.Access
sso_auto_populated = true
At signal you can use the signal-prod profile for this, else you should set one up and run AWS_PROFILE=test-sso lein test.
Tests are only configured to use sts/get-caller-identity which is a non-mutating API call.
Push to main to publish a new version.