-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature] Multiple Identity Center / SSO Session support #169
Comments
Hi there @joshrivers. Thanks for opening this issue, and deep sorry for the late reply. Your feature request makes totally sense to me.
I wanted to have go-aws-sso to be independent of any 3rd party application (especially the
It is!
That would be fine for me, so go-aws-sso could act as a drop-in replacement and can leverage existing config. Happy to hear your thoughts on that! |
Exactly why I love it, too.
Excellent. I haven't done a thorough analysis yet, because I didn't want to presume that I could take the tool in a different direction without asking and I didn't want to do throwaway work. What I'm thinking of doing:
I think I have some additional small features and/or bugfixes in my notes. I guess we should decide if a bigger refactor/feature MR is a good thing, or if I should do some more work to layer the above into multiple MRs so that too much doesn't change at once. I expect that I'll have solid testing, so I don't expect breakage, but I can put in the extra effort if you'd rather have several phases of review rather than a single bigger MR. |
First: Thanks for sticking around and investing so much time!
2.a) see b)
PR size: You decide. I can handle both. A bigger one may take a bit longer (with discussions etc.) - but would be easier for you. Thanks! |
Hey @theurichde, I wanted to give you an update. I had gotten a day or two into my refactor and was looking up some API details when I tripped over aws-sso-cli. I was excited for a few minutes, thinking I'd be able to grab some implementation details and hints from their implementation...then I was sad, because it looks like that project has implemented just about every feature and enhancement that I was looking to add to go-aws-sso. I was enjoying doing the code work, but for now I think I'm going to use the synfinatic CLI to solve my SSO needs rather than work up a redundant implementation. Thanks for the invitation to contribute. |
I found |
Is your feature request related to a problem? Please describe.
I have a situation where I need to manage separate AWS Identity Center connections independently (and potentially simultaneously). Currently
go-aws-sso
cannot hanle more than one login at a time, as the Identity Center/SSO tokens get stored in a single file with a hard-coded path.Describe the solution you'd like
I would like the tool to be able to manage separate access token files for separate SSO sessions.
Describe alternatives you've considered
I have a proof-of-concept hack which provides an optional CLI flag to override the default access-token.js path. This solves for my basic use case, but aligning token file storage with credentials profiles manually. At the minimum, the profile probably needs to be written with the flag/path when the tool writes it to the file. This is probably the quickest way to add the functionality, but may be a bit awkward to explain, document, and use (and it requires semi-manual management of the token file names).
I started looking at the awscli
[sso-session]
configurations typically stored in.aws/config
. I wonder if it would make sense to leverage those, rather than directly having the user decide on access token file path names. The CLI flag could then be based on the session name, rather than the cache file location. Conceivably, using the sso-session config could supplement, override, or replace thego-aws-sso/config.yml
file.This leads to a second thought about researching whether we could use/share the
.aws/sso/cache
files that are generated byaws sso login
. At a glance it just looks like there are minor marshalling differences and the file name is based on a hash of the session name and start url, but there may have been Good Reasons why this tool was designed to ignore those files?Additional context
Is it worthwhile to honor the
AWS_CONFIG_FILE
andAWS_SHARED_CREDENTIALS_FILE
environment variables? This isn't directly relevant to solving my issue, but I could imagine scenarios where overriding the location for these files would allow the tool to be used in multiple contexts.I'm willing to put some time into implementation, and I have some further thoughts and discussion on implementation details, but I want to make sure the scope of this functionality is desirable in the tool before getting too far into the weeds.
The text was updated successfully, but these errors were encountered: