search

benkehoe / aws-sso-credential-process

Bring AWS SSO-based credentials to the AWS SDKs until they have proper support
Apache License 2.0
47 stars 1 forks source link

Question: readme test works without this tool #1

Closed CrescentFresh closed 2 years ago

CrescentFresh commented 2 years ago

The project readme includes these finlal instructions to verify that the credential_process configuration worked:

aws sso login --profile my-sso-profile
python -c "import boto3; print(boto3.Session(profile_name='my-sso-profile').client('sts').get_caller_identity())"

However I've found the expected output is achieved without setting credential_process at all:

$ cat ~/.aws/config
[profile sso_test]
sso_start_url = https://example.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456
sso_role_name = therole
region = us-east-1
output = json

$ aws sso login --profile sso_test
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

****-****
Successully logged into Start URL: https://example.awsapps.com/start

$ python3 -c "import boto3; print(boto3.Session(profile_name='sso_test').client('sts').get_caller_identity())"
{'UserId': '***', 'Account': '123456', 'Arn': 'arn:aws:sts::123456:assumed-role/AWSReservedSSO_therole_4567/me@example.com', 'ResponseMetadata': {'RequestId': 'c1d6d70e-6ed3-4b01-a28d-bbb9bd20cdf4', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': 'c1d6d70e-6ed3-4b01-a28d-bbb9bd20cdf4', 'content-type': 'text/xml', 'content-length': '490', 'date': 'Thu, 07 Apr 2022 18:16:48 GMT'}, 'RetryAttempts': 0}}

Is there a test that verifies the correctness of the configuration?

Context: I'm trying to demo to my team a before/after.

benkehoe commented 2 years ago

The credential process is intended to be a backstop for AWS SDKs that don't support AWS SSO credentials; they'll ignore the sso configuration fields but pick up the credential process. I'm not sure what's remaining on the list of SDKs without support. The JS SDK v2 was one of the last holdouts and it recently got support. boto3 has had support for a long time. I have not updated the README here since moving the functionality to aws-sso-util. I should do an inventory and update the README in both places for what SDK versions map to AWS SSO support.

CrescentFresh commented 2 years ago

Ah ok. The aws-sso-util docs do have a verification example using the JS SDK: https://github.com/benkehoe/aws-sso-util/blob/master/docs/credential-process.md that get what I'm after. This has helped a lot, thanks.

benkehoe commented 2 years ago

As far as I know, there isn't a great way to verify that an SDK is using a particular credential provider. So you'd want to pick a version of the SDK that you know doesn't work with AWS SSO—but why would you want to do that?