-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide support for AWS credentials obtained through SSO #17
Comments
I hit this issue today while evaluating goldstack (which looks to be great btw) An alternate approach might be to add support for This would not require an upgrade of the AWS SDK since it exists in JS v2 as AWS.ProcessCredentials. Note that It seems to be a valid workaround with plenty of CLI tools that fill the gap: aws-sso-creds-helper, aws-sso-util, aws-vault, aws2-wrap Would this be a good path forward? |
Thank you that looks very promising. So with this, configuration would only need to contain the following: {
"users": [
{
"name": "dev-user",
"type": "credentialProcess",
"config": {
"profile": "default"
}
}
]
} (will need to implement that of course) Then for this type of users it would instantiate AWS.ProcessCredentials in infraAws.ts#L282 and that should then provide a good way to get SSO credentials, correct? And just using the |
Yes. It would probably be worth adding an option for My [profile goldstackApp.GoldstackAccess]
sso_start_url = https://d-1234567890.awsapps.com/start
sso_region = eu-west-1
sso_account_name = goldstackApp
sso_account_id = 123456789012
sso_role_name = GoldstackAccess
credential_process = aws-sso-util credential-process --profile goldstackApp.GoldstackAccess So {
"users": [
{
"name": "dev-user",
"type": "credentialProcess",
"config": {
"profile": "profile goldstackApp.GoldstackAccess",
"fileName": "~/.aws/config",
}
}
]
}
If you're taking an explicit approach, this makes good sense.
Just using the current implementation of Reading the docs, AWS.SharedIniFileCredentials expects to find If you did want to keep this under the NB. I didn't see a contributor guide here and I'm not sure how to work on a submodule in the yarn workspace / pnp setup. If you can help with that, I'd be happy to either contribute a PR and/or test it with my setup here. |
Thanks for the thoughts and pointers. I have put together a draft PR: #95 A couple of questions:
{
"name": "process",
"type": "profile",
"config": {
"profile": "with-process",
"awsDefaultRegion": "us-west-2",
"processCredentials": true,
"awsConfigFileName": "~/.aws/mycredentials"
}
}
I have also started putting together a Contribute section (#94) - but this is still WIP. Anything that stand out to you that would be worthwhile to add? |
Yeah, it's definitely confusing. In fact I thought it was the other way around (i.e. AWS.ProcessCredentials talks about the credential path in their docs but it would always be the path to config.). Every other doc I've seen puts the I ran some tests today and if you set
Yes, this makes good sense. it's definitely feels like it should sit under Elsewhere I've noticed credential_source can be used to influence the logic in some places so naming might be better as
Not sure either, I suspect it would be OK. The expected response from
Yes, unfortunately I'm just a lab assistant :). @benkehoe is the chief scientist in my book theres-a-better-way |
btw, the SSO credentials expire after 60 minutes and some of the terraform scripts can take a while to run (especially if waiting on DNS propagation). The full batch can easily take over an hour on a fresh install.
I'll see if I can find a mechanism to allow terraform to refresh credentials from within a docker container. |
Thanks for testing things out and for your ideas! I think Somehow setting
https://github.com/goldstack/goldstack/runs/5256339838?check_suite_focus=true Seems like it was looking up the default file location rather than the one provided in the constructor. Will try to investigate further tomorrow. Agreed it seems to make more sense to put the |
Ah yes, I did read the code path in IniLoader (the underlying file loader) and it seems to ignore the file name property if I suspect that if you set Chris |
Got it working with both using I have merged and released what is there so far, which should now support using process credentials with new templates (or by upgrading a package to the latest version of the template dependency). Also updated the configuration with a section on Process Credentials. I raised a seperate issue for tracking the issue you identified regarding long running infra operations: #99 I think this should (if it works!) provide at least some way to use an SSO-based login for local development? Thanks for all your work so far!!! |
Thanks for the quick response @mxro, this is working for me now (with a workaround**) 🚀 I found some typos and other minor inconsistencies so I'll put a review on the PR for you. I still can't make changes locally using ** I had to either provide |
That's great to hear. Yeah a lots of bits and pieces of logic esp around the env variables, so definitely need to tweak this a bit to make it work reliabily. Thanks for your help. Started a new PR based on the comments #102 - but still WIP for now.
Will want to get this working but not sure if the new PR above would resolve this. Also added you as a collaborator. This should enable you to create and contribute to branches and the CI should run on them I hope. |
Does this work now and can be closed? |
While #3 will provide a way to consume credentials from
~/.aws/credentials
this will probably not work for users logging in through SSO:aws/aws-cli#4982
There is a node library that allows consuming these credentials:
https://github.com/ryansonshine/aws-sso-creds-helper/blob/main/src/sso-creds.ts#L48
However, it seems never versions of the JavaScript SDK also support using these credentials directly. However, I think that would require a major upgrade of the AWS SDK used by Goldstack:
See fromSSO on https://www.npmjs.com/package/@aws-sdk/credential-providers
The text was updated successfully, but these errors were encountered: