support loading credentials set by `aws sso login`

duckdb / duckdb_aws

MIT License

34 stars 12 forks source link

support loading credentials set by `aws sso login` #10

Closed stephaniewang526 closed 2 months ago

stephaniewang526 commented 10 months ago

aws sso login is a common path for users to log into their AWS console. The extension does not currently extract tokens from ~/.aws/sso/cache where authentication token is cached to disk through this path. User needs to manually run aws configure to set up their ~/.aws/credentials instead for the extension work. It would be great if support for the common path of aws sson login can be supported also.

rairaman commented 8 months ago

This setup seems to work for me:

[default]
sso_session = my-sso
sso_account_id = 123456789123
sso_role_name = SomeRole
region = us-east-1
output = json

[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_registration_scopes = sso:account:access

Not sure if something was changed since this issue was opened.

Anteus commented 8 months ago

Doesn't work here but I have a different setup with:

[default]
region = us-east-1
output = json
role_arn = arn:aws:iam:ACCOUNTID:role/ROLE_NAME
source_profile = my-profile

[profile my-profile]
sso_region = us-east-1
sso_session = my-sso
sso_account_id = 123456789123
sso_role_name = SomeRole

[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_registration_scopes = sso:account:access

RobbertDM commented 6 months ago

Also not working for me with same config as @rairaman I'm on v0.9.2 3c695d7ba9, linux ubuntu 22.04. I tried both zsh and bash, and even python with duckdb.sql(). Tried to specify the profile as well with call load_aws_credentials('my-profile'); Nothing works. A colleague of mine has it work on his mac, his aws profile looks the same :shrug:

RobbertDM commented 6 months ago

After building myself, it works:

./build/release/duckdb   
v0.9.3-dev1243 6af3519ec1
D call load_aws_credentials();

Gives me a nice table full of credentials, while

duckdb
v0.9.2 3c695d7ba9
D call load_aws_credentials();

Gives me an empty table.

herebebeasties commented 3 months ago

For me at least, if you have just done an aws sso login then it works. If some time has gone by then it doesn't.

"Ah, well your session must have expired!" I hear you say. But no; aws s3 ls works just fine. So something else going on here.

samansmink commented 2 months ago

lets move any discussion here to the aws repo and close this one. Check out the reply here: https://github.com/duckdb/duckdb_aws/issues/14#issuecomment-2004010988 for a working workflow with secrets