Closed ymtszw closed 2 years ago
@ymtszw Thanks for opening this up. We're facing similar transitional pressure as well. Have you made any progress on implementing this feature on a fork? I took a peek at the code and I couldn't find a straight forward way to implement an :aws_sso
option
Haven't. In fact we have introduced glueing shellscript (not executable, rather source
-able script) for now.
It:
aws sso get-role-credentials
AWS_SESSION_TOKEN
source
d before executing your Elixir applicationsex_aws
to work using those environment variablesSince ex_aws
service catalog does not cover sso get-role-credentials
yet, relying on aws cli was faster for us.
Sounds like we wrote the same script 👍
aws-sso-cli looks promising for others needing a similar script
I started to lay this out in my fork here
Building off of @ymtszw awesome writeup, my idea here was the following:
:awscli
option and has AWS SSO configured, I wanted to try to keep the flow the same and add functionality to load the credentials the same way ( started ):awssso
and allow configuration of provider similar to the Ruby SDK implementation previously mentioned ( not started )I would like to get yall's feedback on the thoughts/branch above to determine if I am on the right track and should proceed further. Full transparency, relatively new to Elixir so any and all feedback is welcomed and helpful, feel free to leave comments on my PR :D
aws-sso-cli looks promising for others needing a similar script
I started to lay this out in my fork here
Building off of @ymtszw awesome writeup, my idea here was the following:
- If a user is using the
:awscli
option and has AWS SSO configured, I wanted to try to keep the flow the same and add functionality to load the credentials the same way ( started )- For users wanting to use AWS SSO without AWS CLI configured, we could introduce
:awssso
and allow configuration of provider similar to the Ruby SDK implementation previously mentioned ( not started )I would like to get yall's feedback on the thoughts/branch above to determine if I am on the right track and should proceed further. Full transparency, relatively new to Elixir so any and all feedback is welcomed and helpful, feel free to leave comments on my PR :D
Thanks for lining that PR up @joeybaer — I left one comment and will take a look back in a couple of days. I'm not a maintainer of this lib but am interested in contributing back and potentially refactoring some stuff in this repo. I think it makes sense to have individual modules for each provider, but that's a large undertaking.
Environment (at the moment of writing)
Background
Currently, ex_aws supports "shared credentials" provider which reads traditional aws_access_key_id and aws_secret_access_key from
~/.aws/credentials
or~/.aws/config
files. These files originate from CLI authentication mechanism using IAM users.However, recent AWS CLI supports AWS SSO authentication mechanism, which does not involve semi-permanent IAM users and static credentials. Instead it uses short-lived credentials per SSO user, issued via terminal-to-browser login experience of
aws sso login
.Current behavior
This new mechanism indeed provides aws_access_key_id and aws_secret_access_key pairs (albeit short-lived,) but stores them in a different file format in
~/.aws/cli/cache/{{ AWS SSO URL digest }}.json
, so current implementation of shared credentials provider cannot handle them.Expected behavior
We are gradually migrating from static IAM user management to AWS SSO experience, so ex_aws support of SSO credentials are one of requirements.
Taking an example from Ruby SDK implementation, a feasible behavior would be:
getRoleCredentials
API:awscli
, maybe:awssso
?aws sso login
Status
From our standpoint this is not urgent, though we will definitely start working on this in non-far future. We will likely implement the feature in-house (or on fork), and then contribute it to the public if it worked well.
Until then let me open this issue as a tracker. If others interested, that would be super cool too.