Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO credential providers #4

Closed
vishaalt opened this issue Apr 12, 2021 · 13 comments
Closed

SSO credential providers #4

vishaalt opened this issue Apr 12, 2021 · 13 comments
Labels
feature-request A feature should be added or improved.

Comments

@vishaalt
Copy link
Contributor

vishaalt commented Apr 12, 2021
edited by rcoh
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
Add support for SSO credential providers
@abatkin
Copy link

abatkin commented Jul 5, 2021

Can we clarify the scope of this issue? For example, does this include SAML (AssumeRoleWithSAML) or should I open a dedicated feature request for that?

@jdisanti
Copy link
Contributor

jdisanti commented Jul 6, 2021

@abatkin - This is tracking the addition of a credential provider that retrieves temporary credentials using an SSO access token, similar to what's in the Go v2 SDK. You should already be able to make a call to AssumeRoleWithSAML with the STS client, and use the result of that call to provide credentials, but you should open a feature request with more details about your use-case as it may make sense for the SDK to have a credential provider for it.

@abatkin
Copy link

abatkin commented Jul 7, 2021

...but you should open a feature request with more details about your use-case as it may make sense for the SDK to have a credential provider for it.

Perfect. For anyone else who comes across this and wonders the same thing, see also #144

@rcoh rcoh added the feature-request A feature should be added or improved. label Jul 28, 2021
@bobbyrward
Copy link

In the meantime, I've written a credential provider you can use until it comes to the sdk.
https://github.com/bobbyrward/aws-sdk-rust-sso-credentials.

@pietroalbini
Copy link

Would also love to see this implemented!

@naftulikay
Copy link

I created naftulikay/aws-sso-env as a stopgap solution for obtaining SSO credentials. You'll need to install Rust to compile it, follow the instructions in the repo to get things working. The general idea is that you will export credentials into your environment variables and have the AWS SDK for Rust just grab them from there, rather than using an integrated SSO provider in your code.

I don't have the time right now to flesh this out into a full credentials provider, but perhaps in the future, I will.

Thanks to @bobbyrward above for his code, I forked it locally and got the inspiration to build a standalone utility for doing this.

@rcoh rcoh mentioned this issue Jan 7, 2022
Merged
5 tasks
@rcoh
Copy link
Contributor

rcoh commented Jan 11, 2022

this has landed in main and will go out in the next release! Thanks for the upvotes everyone 🎉

@rcoh
Copy link
Contributor

rcoh commented Jan 11, 2022
edited
Loading

you can try this today by using the next branch as a Git dependency.

aws-config = { git = "https://github.com/awslabs/aws-sdk-rust", branch = "next" }

# note that you'll need to switch services as well so that `aws_types::Config` is the same type from Rust's perspective:
aws-sdk-SERVICE = { git = "https://github.com/awslabs/aws-sdk-rust", branch = "next" }

@Velfi
Copy link
Contributor

Velfi commented Jan 21, 2022

landed in v0.5.2

@Velfi Velfi closed this as completed Jan 21, 2022
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@vfilter
Copy link

vfilter commented Mar 5, 2023
edited
Loading

@rcoh documentation on this seems pretty sparse. Would you be able to provide an example of how this works? I can see that there is a sso credentials provider here but I have no idea how to use it.

Specifically, I would like to just specify the sso profile to use similar to boto3:

boto3.setup_default_session(profile_name='sandbox')

@benkehoe
Copy link

benkehoe commented Mar 6, 2023

@vfilter The documentation is definitely lacking. What you're looking for, I believe, is something like (docs here):

use aws_config::profile::{ProfileFileCredentialsProvider, ProfileFileRegionProvider};
use aws_config::profile::profile_file::{ProfileFiles, ProfileFileKind};

let sdk_config = aws_config::from_env()
    .profile_name("sandbox")
    .load()
    .await;

As for boto3, I'd recommend against modifying the default session with setup_default_session() (and generally against using the package-level functions like boto3.client()), because it might conflict if different parts of your code are trying to use different credentials. Instead, use boto3 Sessions directly. Here's an explainer on that.

@trevorstr
Copy link

It would be nice if there were a documentation section under the AWS Rust SDK docs ➡️ https://docs.aws.amazon.com/sdk-for-rust/latest/dg/credentials.html

It shows how to use static credentials, but that isn't a security best practice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests