search

kovihq / sqltools-athena-driver

AWS Athena Driver for VSCode Plugin SQLTools
MIT License
5 stars 11 forks source link

SSO support #22

Open duncanmcdowell opened 2 years ago

duncanmcdowell commented 2 years ago

Attempting to try out an SSO profile and receiving the following error:

Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1

The connections code here doesn't suggest support for SSO which leads me to believe the above error isn't actually providing a path to resolution.

Is SSO support planned?

Cistron commented 2 years ago

I've been using the SSO token to create temporary credentials. Here's a very simple python script.

import json
import glob
import os
import boto3
from pathlib import Path

print(
    "Before running this script, make sure you have created an AWS SSO token:\naws sso login --profile my-profile"
)

AWS_CONFIG_PATH = f"{Path.home()}/.aws/config"
AWS_CREDENTIAL_PATH = f"{Path.home()}/.aws/credentials"
AWS_SSO_CACHE_PATH = f"{Path.home()}/.aws/sso/cache"
ROLE_NAME = "my-admin-role"
ACCOUNT_PREFIX = ""  # to be stripped

# fetching all credential files and selecting youngest
# this is assuming that the youngest file was created by the SSO request
list_of_files = glob.glob(f"{AWS_SSO_CACHE_PATH}/*.json")
newest_file = max(list_of_files, key=os.path.getctime)

# loading SSO token from file
with open(newest_file, "r") as f:
    credentials = json.load(f)
region = credentials["region"]
access_token = credentials["accessToken"]

# creating session, finding all accounts, ...
session = boto3.Session(region_name=region)
sso = session.client("sso")
paginator = sso.get_paginator("list_accounts")
results = paginator.paginate(accessToken=access_token)
account_list = results.build_full_result()["accountList"]

credentials_string = []

# iterating over accounts, retrieving credentials
for account in account_list:
    response = sso.get_role_credentials(
        roleName=ROLE_NAME,
        accountId=account["accountId"],
        accessToken=access_token,
    )

    credentials_string.append(
        f"""[{account['accountName'].replace(ACCOUNT_PREFIX,'')}]
aws_access_key_id={response['roleCredentials']['accessKeyId']}
aws_secret_access_key={response['roleCredentials']['secretAccessKey']}
aws_session_token={response['roleCredentials']['sessionToken']}
"""
    )

# writing credentials to file
with open(AWS_CREDENTIAL_PATH, "w") as f:
    f.write("".join(credentials_string))
Nintorac commented 2 years ago

Unless I am missing something obvious then this issue also results in failure to get credentials from instance metadata.

I think it would probably still work if the instance role was able to assume another role configured in a profile. eg. a profile like

[admin-role]
source_profile = default
role_arn = arn:...

For my case where there is no role switching happening you can get the details like this.

export ROLE=role_name
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/$role_name | jq -r '"aws_access_key_id = " + (.AccessKeyId) + "\naws_secret_access_key = " + (.SecretAccessKey) + "\naws_session_token = " + (.Token)'
janekdb commented 1 year ago

Hi,

I am facing a similar issue. I have VS Code running on an EC2 instance. The EC2 instance has an IAM role attached which allows using Athena so any application running on the EC2 should be able to use Athena without requiring IAM keys. However I can't figure out how to avoid reconfiguring the plugin each time I need to use Athena.

+1 for SSO