Fork me on GitHub
#aws
<
2020-10-30
>
onetom05:10:06

has anyone tried the AWS SSO system? im trying to use it with https://github.com/cognitect-labs/aws-api but i don't see a credentials provider which would support SSO. it does give access to the SSO AWS API though, so i can try to put a signin flow together with that...

onetom05:10:28

i tried our AWS SSO setup and it works with the new AWS CLI 2: https://aws.amazon.com/blogs/developer/aws-cli-v2-is-now-generally-available/ but what it puts into ~/.aws/config is not understood by cognitect.aws.client.api 😞 it looks something like this:

[<some profile name>]
sso_start_url = https://<org-name>.
sso_region = ap-southeast-1
sso_account_id = 179999999999
sso_role_name = AdministratorAccess
# sso_role_name = PowerUserAccess
region = ap-southeast-1

rutledgepaulv13:10:46

I think the credential support in aws-api is sort of minimal in an attempt to keep the core lightweight and not require other aws-api services to implement auth. I needed to extend the profile provider to support assume role sts tokens, for example. https://github.com/RutledgePaulV/aws-api-credential-providers/blob/master/src/aws_api_credential_providers/core.clj

👍 1
onetom05:10:46

is there a better channel where i can ask such questions?

lukasz16:10:27

@onetom (I'll be going deep into this in a week or two but I did some research already). Atm most AWS SDK's do not support obtaining credentials via SSO - that includes Java and Go SDK (the latter is rather infuriating because I work a lot with terraform). The workaround is to use a small Python script, which does some munging of credentials obtained via cli v2 and can inject them to your shell environment. https://github.com/linaro-its/aws2-wrap can work for you or you might need to tweak it a bit (like we did)

👍 1