Support for AWS SSO

[AdrienneCohea]

As a user I would like to be able to log into AWS CLI via SSO and have Vault read from SSO credentials stored in ~/.aws/sso. Currently I have to perform an STS login using explicit aws_access_key_id, aws_secret_access_key, and aws_session_token values in ~/.aws/credentials.

Would it be possible to have SSO credentials in the chain of providers checked? :tulip:

Attempted with Vault version 1.12.2

[AdrienneCohea]

Suggested tags auth/aws, ecosystem, enhancement, cli

[remilapeyre]

Hi @AdrienneCohea, have you looked into token helpers? I think they could help you achieve what you are looking for in your environment.

[AdrienneCohea]

Hi Rémi! No I have not. It would work for my use case, but my desire is for HashiCorp to officially support AWS SSO credentials. I haven't looked into the Vault codebase, but the AWS Go SDK V2 has a default configuration provider which supports it out of the box.

[AdrienneCohea]

I took another look at this @remilapeyre, and token helpers would not work actually. :(

I can see that this would require updates to go-secure-stdlib: https://github.com/hashicorp/go-secure-stdlib/issues/34

I put a +1 on this issue, and I actually think I'd prefer to see awsutil fully on AWS SDK V2, or perhaps a new module could be created like awsutilv2?

Is there any interest in having the community fork and make a contribution on that repository or would that be a no-no?

[jefferai]

@AdrienneCohea I'd love to see that utility updated to aws-sdk-go v2. A PR would be lovely. I took a short look at going through that update in the past but it didn't seem fully straightforward and I didn't have time to keep going.

It might also be worth revisiting naming and other things, we could make it a v3 of awsutil if we want.

For context, two of the reasons awsutil exists are that we (a) wanted an easy way for our various applications to use AWS without understanding too much of the underlying Go SDK, and (b) the underlying Go SDK (at least at the time) did not easily allow us to exclude credential sources, and we needed the ability to more specifically target which of the possible credentials to actually use (e.g. maybe there are instance profile credentials, but we want to prioritize IAM keys instead). It's possible with v2 of the official Go SDK that some of these things are much easier now in a native fashion.

[AdrienneCohea]

Okay cool, thanks so much, Jeff! I figured that you wanted to abstract the AWS SDK a bit, and yeah, with the V2 SDK, credential sources become more standardized, and config.LoadDefaultConfig() does most of the heavy lifting (although, would we have research we need to do in order to maintain the current "orderings" of credential sources?) At any rate, I would love to pursue that if it looks interesting. I might not have time to dedicate to it until March or April, but I am happy to sign a CLA if there is interest. Thanks so much for your feedback about direction.

On Mon, Feb 13, 2023 at 10:30 AM Jeff Mitchell @.***> wrote:

@AdrienneCohea https://github.com/AdrienneCohea I'd love to see that utility updated to aws-sdk-go v2. A PR would be lovely. I took a short look at going through that update in the past but it didn't seem fully straightforward and I didn't have time to keep going.

It might also be worth revisiting naming and other things, we could make it a v3 of awsutil if we want.

For context, two of the reasons awsutil exists are that we (a) wanted an easy way for our various applications to use AWS without understanding too much of the underlying Go SDK, and (b) the underlying Go SDK (at least at the time) did not easily allow us to exclude credential sources, and we needed the ability to more specifically target which of the possible credentials to actually use (e.g. maybe there are instance profile credentials, but we want to prioritize IAM keys instead). It's possible with v2 of the official Go SDK that some of these things are much easier now in a native fashion.

— Reply to this email directly, view it on GitHub https://github.com/hashicorp/vault/issues/18375#issuecomment-1428451931, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIFCJZOAZJGKOVIHPM3ZIJDWXJ4SVANCNFSM6AAAAAAS63BZAM . You are receiving this because you were mentioned.Message ID: @.***>

[jorhett]

Vault is using an ancient version of the aws-sdk, version 1.17. There are numerous bug fixes in recent versions for SSO users, and we're seeing this one aws/aws-sdk-go#4989 which is fixed by v1.45.15.

I realized this requires lots of testing on your part @jefferai, but there are lots of AWS config problems fixed in the last 4.5 years ....

[bengaywins]

@jefferai This should be resolved by updating hashicorp/go-secure-stdlib/awsutil to v2.0.0 release. As that uses the v2 with a version of v1.20.1 of the aws sdk go lib (which is from Aug 7, 2023). There are some breaking changes though. Can read here.

Note: I am unaffiliated but Jorhett's comments caused me to dig a bit.