search

boyney123 / eventcatalog

Discover, Explore and Document your Event Driven Architectures powered by Markdown.
https://eventcatalog.dev
MIT License
1.49k stars 128 forks source link

Support AWS SSO Profiles in the Eventbridge schema generator #516

Open ryancormack opened 1 month ago

ryancormack commented 1 month ago

Have you read the Contributing Guidelines on issues?

Description

The EB Plugin currently requires you to pass in some credentials as part of the options:

generators: [
    [
      '@eventcatalog/plugin-doc-generator-amazon-eventbridge',
      {
        eventBusName: "mw-backbone-dev",
        region: 'eu-west-1', // your region
        registryName: 'discovered-schemas', // your registry normally "discovered-schemas"
        credentials: {
          accessKeyId: '',
          secretAccessKey: '',
          sessionToken: ''
        },
      },
    ],
  ],

These get type checked here, https://github.com/boyney123/eventcatalog/blob/master/packages/eventcatalog-plugin-generator-amazon-eventbridge/src/types.ts#L11 and then passed into the AWS SDKs here, https://github.com/boyney123/eventcatalog/blob/master/packages/eventcatalog-plugin-generator-amazon-eventbridge/src/lib/aws.ts#L163-L167

This requires the keys to be set in the environment and prevents the use of AWS SSO Profiles. The AWS SDKs themselves will attempt to get credentials from an SSO Profile, the existing env variables or several other processes.

Supporting SSO Profiles would make running this easier for users locally who either can't get static short (or long) lived tokens, or who don't wish to have to copy and paste them around the place.

Proposed Solution

Given the ordering that the SDKS already attempt to resolve credentials, I would propose to make the existing inputs optional (but keeping them as the first/default choice, overriding the SDK patterns), but making it able to accept no inputs and allowing the SDKs to resolve how they wish.

Alternatively, to addresses only the issue of SSO Profiles, accepting another input of ssoProfileName and using that when defined over the other credential options.

Motivation

Being able to use different profiles to run EventCatalog locally. Needing to set credentials in the env or in text in code isn't always ideal when services like AWS SSO (or AWS IAM Identity Center as it likes to be known) are able to more securely generate credentials and even auto refresh them if needed

mixja commented 3 weeks ago

Really you should allow the SDK to resolve credentials from the underlying environment, whether it be via static access keys, AWS profile, EC2 instance profile, etc...this is the way the SDK is intended to work.