This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2024-03-20
Channels
- # announcements (5)
- # aws (15)
- # babashka (12)
- # beginners (87)
- # calva (13)
- # cider (16)
- # clj-kondo (4)
- # clojure (22)
- # clojure-argentina (1)
- # clojure-europe (9)
- # clojure-houston (1)
- # clojure-nl (2)
- # clojure-norway (25)
- # clojure-uk (5)
- # clojurescript (12)
- # core-typed (37)
- # cursive (15)
- # datomic (40)
- # editors (8)
- # emacs (4)
- # events (1)
- # hyperfiddle (29)
- # keechma (8)
- # leiningen (6)
- # lsp (7)
- # malli (25)
- # off-topic (26)
- # pathom (10)
- # portal (3)
- # re-frame (22)
- # reitit (1)
- # releases (1)
- # ring (2)
- # shadow-cljs (18)
- # yamlscript (1)
SSO credentials question:
I'm trying to enable a workflow where a non-developer user in my org can use some client program I create that has access to some aws services that the user is allowed access to without having to install anything besides my program and without having to use the CLI at all. I have the user set up with the appropriate permissions using Iam Identity Center
I found this AWS SSO credentials provider that can be used with aws-api: https://gist.github.com/lukaszkorecki/120008f7832e23702e94f4205b8e3df5#file-sso-profile-clj but I think this depends on the user having installed the aws cli installed and setup using aws sso configure
, and and then aws login
to cache credentials
It seems like https://github.com/aws/aws-sdk-java-v2/tree/f79332bc92c177e5f8dd4f76a5f866fdb0624bb1/docs/design/core/tokenauth#bearer-token-authorization-and-token-providers offers the same workflow, requiring preparation with the aws CLI (I haven't fully verified that this is strictly required though)
Is there a way to get this working without this any CLI usage or installation of any external programs, assuming I can provide all the non-sensitive config (such as region/start-url/etc)?
Presumably I could just copy whatever the aws CLI is doing when you call aws login
. But are there any tips/shortcuts or descriptions on what that's actually doing?
I remember taking a stab at reimplementing aws login
to see if we could do that without the CLI but I gave up :-)
Since then I think IAM and SSO now has much better support on the API side, so you might be able to implement equivalent of aws login
yourself, I'd look for the sso-idc and also how the CLI does it itself: https://github.com/aws/aws-cli/blob/8854b38131d2d943ca3c3318dbe8679ff9c60c9d/awscli/customizations/sso/utils.py#L57-L77
Good to know, thanks! I haven't fully decided on how to distribute yet, I think I'm more fine with requiring , e.g. the clojure cli installed, and just having a script clone the project and run it. But an uberjar might be better. I'm mainly daunted by having to devote tons of readme text to aws sso setup, which I've found somewhat tricky to get working even for myself. If I can hide those details I think it'll give me some more room to work with for other installation requirements
I’m asking because if you package the tool as a docker image (since you require Clj installation then you also need Java, docker might be easier to setup), then you can bundle aws CLI and everything else into one package.
I did just find https://gist.github.com/jeroenvandijk/ace7432be94d083e63729ac313a0b78f which seems to be just what I want, a complete login process with no aws CLI requirements
you probably want to remove the comment
section though, it has the SSO url that takes me to your company's Okta login screen - might or might not be an issue, depending on how paranoid you are
(not my gist just found it in this comment https://github.com/cognitect-labs/aws-api/issues/182#issuecomment-831155716)
It seemed like it should be that easy, I wonder why it's not really documented and the entire aws ecosystem requires a cli with a setup step. Maybe the signin flow is more obvious if you're already familiar with OpenID?
Agreed! I don't know how much it changed int the last ~2 years, but just based on my experience of working with SSO before that - it seemed to be a hack on top of IAM and Cognito - when it worked, it worked, but it wasn't uncommon for login attempts to just fail several times in a row, or changes to take a while to propagate (I used Google Workspace and Okta as the idP). I think at some point they started to make it more solid, and also change the name - so my guess is, that until the v1 proved itself, AWS didn't want to get tied too much into how things work - for example there was no API for any of this, so I couldn't use Terraform to manage SSO configuration. That changed after the new (renamed) version arrived.