Use of SSO roles for PHP CLI

aws / aws-sdk-php

Official repository of the AWS SDK for PHP (@awsforphp)

http://aws.amazon.com/sdkforphp

Apache License 2.0

6k stars 1.21k forks source link

Use of SSO roles for PHP CLI #2848

Open exussum12 opened 8 months ago

exussum12 commented 8 months ago

Describe the feature

I am hoping to follow this workflow

aws configure sso or aws sso login --profile=something

Commands on the AWS CLI work, I am hoping to be able to use the same profile (something in the case above) to be able to reuse in php scripts

Use Case

Removing long lived keys for local development

Proposed Solution

The sso logs to a few files (~/.aws/sso/cache)

These should be scanned when looking for a profile being passed current behaviour is PHP Fatal error: Uncaught Aws\Exception\CredentialsException: 'something' not found in credentials file in /tmp/aws/vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php:826

Other Information

This should ideally work for rules assumed via other accounts. That has a seperate storage (.aws/cli/cache)

Acknowledgements

[X] I may be able to implement this feature request
[ ] This feature might incur a breaking change

SDK version used

Latest

Environment details (Version of PHP (`php -v`)? OS name and version, etc.)

php 8.2

exussum12 commented 8 months ago

So this does work as follows

'credentials' =>  CredentialProvider::sso('something'),

In a construct, not sure if the profile should pick it up? That is how the CLI works

Digging into this some more, if a profile is passed the ini loader is called, which does not support SSO. Any objections to moving that to a chain? First a standard profile and fall back to a SSO profile

RanVaknin commented 4 days ago

Hi @exussum12 ,

Sorry for the long wait. We have discussed this as a team but are confused about the ask here. Can you please provide a minimal snippet (imports, client instantiation and config) that highlights what you are trying to do?

Thanks, Ran

exussum12 commented 3 days ago

Assuming you have SSO set up called prod_sso.

<?php
require_once './vendor/autoload.php';

use Aws\DynamoDb\DynamoDbClient;

$dynamoDbClient = DynamoDbClient::factory(array(
    'profile' => 'prod_sso',
    'region'  => 'eu-west-1',
));
var_dump($dynamoDbClient->listTables());

PHP Fatal error: Uncaught Aws\Exception\CredentialsException: 'prod_sso' not found in credentials file in /tmp/aws/vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php:846

The CLI works

aws --profile=prod_sso dynamodb list-tables

for full clarity

[profile prod_sso]
sso_start_url = https://theUrl/start
sso_region = eu-west-1
sso_account_id = 99999999
sso_role_name = RoleIWishToAssume
region = eu-west-1
output = json

set up from aws configure sso