search

ex-aws / ex_aws

A flexible, easy to use set of clients AWS APIs for Elixir
https://hex.pm/packages/ex_aws
MIT License
1.27k stars 526 forks source link

Support AWS SSO Credential Provider #843

Closed ymtszw closed 2 years ago

ymtszw commented 2 years ago

Environment (at the moment of writing)

Background

Currently, ex_aws supports "shared credentials" provider which reads traditional aws_access_key_id and aws_secret_access_key from ~/.aws/credentials or ~/.aws/config files. These files originate from CLI authentication mechanism using IAM users.

However, recent AWS CLI supports AWS SSO authentication mechanism, which does not involve semi-permanent IAM users and static credentials. Instead it uses short-lived credentials per SSO user, issued via terminal-to-browser login experience of aws sso login.

Current behavior

This new mechanism indeed provides aws_access_key_id and aws_secret_access_key pairs (albeit short-lived,) but stores them in a different file format in ~/.aws/cli/cache/{{ AWS SSO URL digest }}.json, so current implementation of shared credentials provider cannot handle them.

Expected behavior

We are gradually migrating from static IAM user management to AWS SSO experience, so ex_aws support of SSO credentials are one of requirements.

Taking an example from Ruby SDK implementation, a feasible behavior would be:

Status

From our standpoint this is not urgent, though we will definitely start working on this in non-far future. We will likely implement the feature in-house (or on fork), and then contribute it to the public if it worked well.

Until then let me open this issue as a tracker. If others interested, that would be super cool too.

kyleVsteger commented 2 years ago

@ymtszw Thanks for opening this up. We're facing similar transitional pressure as well. Have you made any progress on implementing this feature on a fork? I took a peek at the code and I couldn't find a straight forward way to implement an :aws_sso option

ymtszw commented 2 years ago

Haven't. In fact we have introduced glueing shellscript (not executable, rather source-able script) for now.

It:

Since ex_aws service catalog does not cover sso get-role-credentials yet, relying on aws cli was faster for us.

kyleVsteger commented 2 years ago

Sounds like we wrote the same script 👍

joeybaer commented 2 years ago

aws-sso-cli looks promising for others needing a similar script

I started to lay this out in my fork here

Building off of @ymtszw awesome writeup, my idea here was the following:

I would like to get yall's feedback on the thoughts/branch above to determine if I am on the right track and should proceed further. Full transparency, relatively new to Elixir so any and all feedback is welcomed and helpful, feel free to leave comments on my PR :D

kyleVsteger commented 2 years ago

aws-sso-cli looks promising for others needing a similar script

I started to lay this out in my fork here

Building off of @ymtszw awesome writeup, my idea here was the following:

  • If a user is using the :awscli option and has AWS SSO configured, I wanted to try to keep the flow the same and add functionality to load the credentials the same way ( started )
  • For users wanting to use AWS SSO without AWS CLI configured, we could introduce :awssso and allow configuration of provider similar to the Ruby SDK implementation previously mentioned ( not started )

I would like to get yall's feedback on the thoughts/branch above to determine if I am on the right track and should proceed further. Full transparency, relatively new to Elixir so any and all feedback is welcomed and helpful, feel free to leave comments on my PR :D

Thanks for lining that PR up @joeybaer — I left one comment and will take a look back in a couple of days. I'm not a maintainer of this lib but am interested in contributing back and potentially refactoring some stuff in this repo. I think it makes sense to have individual modules for each provider, but that's a large undertaking.