Skip to content

Commit

Permalink
config: Enable SSO provider to be mixed with other credential provide…
Browse files Browse the repository at this point in the history
…rs (#1255)
  • Loading branch information
skmcgrail authored May 18, 2021
1 parent 4a50e35 commit 6bd58e4
Show file tree
Hide file tree
Showing 15 changed files with 354 additions and 68 deletions.
8 changes: 8 additions & 0 deletions .changelog/016af652b95e472f960ded9a2e976e11.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"id": "016af652-b95e-472f-960d-ed9a2e976e11",
"type": "bugfix",
"description": "`internal/ini`: Disable normalization of config profile names",
"modules": [
"."
]
}
8 changes: 8 additions & 0 deletions .changelog/9eda03d68f1849a981362947a1a2941f.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"id": "9eda03d6-8f18-49a9-8136-2947a1a2941f",
"type": "feature",
"description": "SSO credentials can now be defined alongside other credential providers within the same configuration profile.",
"modules": [
"config"
]
}
8 changes: 8 additions & 0 deletions .changelog/f2c891806ed64485bdbee78723db3a88.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"id": "f2c89180-6ed6-4485-bdbe-e78723db3a88",
"type": "bugfix",
"description": "Fixed a bug that caused configuration profile names to be incorrectly normalized, which could cause incorrect profile loading in certain cases. ([#1204](https://github.com/aws/aws-sdk-go-v2/issues/1204))",
"modules": [
"config"
]
}
16 changes: 8 additions & 8 deletions config/resolve_credentials.go
Original file line number Diff line number Diff line change
Expand Up @@ -123,21 +123,21 @@ func resolveCredsFromProfile(ctx context.Context, cfg *aws.Config, envConfig *En
Value: sharedConfig.Credentials,
}

case sharedConfig.hasSSOConfiguration():
err = resolveSSOCredentials(ctx, cfg, sharedConfig, configs)

case len(sharedConfig.CredentialProcess) != 0:
// Get credentials from CredentialProcess
err = processCredentials(ctx, cfg, sharedConfig, configs)

case len(sharedConfig.CredentialSource) != 0:
err = resolveCredsFromSource(ctx, cfg, envConfig, sharedConfig, configs)

case len(sharedConfig.WebIdentityTokenFile) != 0:
// Credentials from Assume Web Identity token require an IAM Role, and
// that roll will be assumed. May be wrapped with another assume role
// via SourceProfile.
err = assumeWebIdentity(ctx, cfg, sharedConfig.WebIdentityTokenFile, sharedConfig.RoleARN, sharedConfig.RoleSessionName, configs)
return assumeWebIdentity(ctx, cfg, sharedConfig.WebIdentityTokenFile, sharedConfig.RoleARN, sharedConfig.RoleSessionName, configs)

case sharedConfig.hasSSOConfiguration():
err = resolveSSOCredentials(ctx, cfg, sharedConfig, configs)

case len(sharedConfig.CredentialProcess) != 0:
// Get credentials from CredentialProcess
err = processCredentials(ctx, cfg, sharedConfig, configs)

case len(envConfig.ContainerCredentialsEndpoint) != 0:
err = resolveLocalHTTPCredProvider(ctx, cfg, envConfig.ContainerCredentialsEndpoint, envConfig.ContainerAuthorizationToken, configs)
Expand Down
50 changes: 45 additions & 5 deletions config/resolve_credentials_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"github.com/aws/aws-sdk-go-v2/service/sso"
"github.com/aws/aws-sdk-go-v2/service/sts"
"github.com/aws/smithy-go/middleware"
smithytime "github.com/aws/smithy-go/time"
)

func swapECSContainerURI(path string) func() {
Expand Down Expand Up @@ -61,11 +62,29 @@ func setupCredentialsEndpoints(t *testing.T) (aws.EndpointResolver, func()) {

stsServer := httptest.NewServer(http.HandlerFunc(
func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte(fmt.Sprintf(
assumeRoleRespMsg,
time.Now().
Add(15*time.Minute).
Format("2006-01-02T15:04:05Z"))))
if err := r.ParseForm(); err != nil {
w.WriteHeader(500)
return
}

form := r.Form

switch form.Get("Action") {
case "AssumeRole":
w.Write([]byte(fmt.Sprintf(
assumeRoleRespMsg,
smithytime.FormatDateTime(time.Now().
Add(15*time.Minute)))))
return
case "AssumeRoleWithWebIdentity":
w.Write([]byte(fmt.Sprintf(assumeRoleWithWebIdentityResponse,
smithytime.FormatDateTime(time.Now().
Add(15*time.Minute)))))
return
default:
w.WriteHeader(404)
return
}
}))

ssoServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
Expand Down Expand Up @@ -310,6 +329,27 @@ func TestSharedConfigCredentialSource(t *testing.T) {
return func() {}, nil
},
},
"sso mixed with credential process provider": {
envProfile: "sso_mixed_credproc",
expectedAccessKey: "SSO_AKID",
expectedSecretKey: "SSO_SECRET_KEY",
expectedSessionToken: "SSO_SESSION_TOKEN",
init: func() (func(), error) {
return ssoTestSetup()
},
},
"sso mixed with web identity token provider": {
envProfile: "sso_mixed_webident",
expectedAccessKey: "WEB_IDENTITY_AKID",
expectedSecretKey: "WEB_IDENTITY_SECRET",
expectedSessionToken: "WEB_IDENTITY_SESSION_TOKEN",
},
"web identity": {
envProfile: "webident",
expectedAccessKey: "WEB_IDENTITY_AKID",
expectedSecretKey: "WEB_IDENTITY_SECRET",
expectedSessionToken: "WEB_IDENTITY_SESSION_TOKEN",
},
}

for name, c := range cases {
Expand Down
8 changes: 4 additions & 4 deletions config/shared_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -320,9 +320,6 @@ func LoadSharedConfigProfile(ctx context.Context, profile string, optFns ...func
return SharedConfig{}, err
}

// profile should be lower-cased to standardize
profile = strings.ToLower(profile)

cfg := SharedConfig{}
profiles := map[string]struct{}{}
if err = cfg.setFromIniSections(profiles, profile, configSections, option.Logger); err != nil {
Expand Down Expand Up @@ -915,7 +912,6 @@ func (c *SharedConfig) validateCredentialType() error {
len(c.CredentialSource) != 0,
len(c.CredentialProcess) != 0,
len(c.WebIdentityTokenFile) != 0,
c.hasSSOConfiguration(),
) {
return fmt.Errorf("only one credential type may be specified per profile: source profile, credential source, credential process, web identity token, or sso")
}
Expand Down Expand Up @@ -993,6 +989,10 @@ func (c *SharedConfig) clearCredentialOptions() {
c.CredentialProcess = ""
c.WebIdentityTokenFile = ""
c.Credentials = aws.Credentials{}
c.SSOAccountID = ""
c.SSORegion = ""
c.SSORoleName = ""
c.SSOStartURL = ""
}

// SharedConfigLoadError is an error for the shared config file failed to load.
Expand Down
Loading

0 comments on commit 6bd58e4

Please sign in to comment.