Ability to use sso named profiles through aws-sdk-java version 2

[joshhamann]

I currently have a work around set up to set env variables based on SSO's current (and expire-able) credentials. It would be nice to be able to utilize this repo with SSO named profiles. I believe it is tracked back to this issue (aws/aws-sdk-java-v2#1970) which shows it looks like we need aws-sdk-java version >= 2.15.33 to be able to utilize.

I believe this is the pom.xml that is utilized (for glue-3.0) for instance:

I also think this is the pom that is referenced within that dependency:

Which shows:
<aws.sdk.version>1.12.128</aws.sdk.version>

Is it possible to upgrade to aws-sdk-java version to something >= 2.15.33? Or even better, is there a way to adjust that value within the pom.xml which is on the s3 backed maven repository, so I can handle additional dependency issues as they come up (apache iceberg, for instance).

[david-wb]

I am facing the same problem. Did you resolve it?

[joshhamann]

No - I don't believe it can be resolved outside of this repo given the s3 backed pom.xml that needs editing. My solution was a workaround that sets AWS variables for the scope of the command I am firing based on SSO. So something like:

{script that sets AWS variables based on your named profile for the scope of this command} {your script} in the terminal worked for me. Hopefully that helps!

[selfisch]

Any update on this? We are facing the same issue.

[barryoneill]

A less awful way is to do this is to set this in ~/.aws/config:

[profile foo]
credential_process=aws configure export-credentials --profile=your-sso-profile

Then you should be able to use profile foo without the need for wrapping calls in scripts. It's not ideal but 🤷🏻‍♂️

[rokity]

The solutions of @barryoneill maybe it works. But I suggest to create a PR to use AWS_PROFILE_SSO variable as parameter to identify the SSO profile.

[jerdoe]

As mentioned in this reference, it's possible to build an adapter to use the AWS SDK Java v2 SSO libraries alongside the AWS SDK Java v1.

I've created a GitHub project that builds and integrates such an adapter within the AWS Glue Docker image. However, you can also use it with aws-glue-libs.

Below are the steps to help you get it working with aws-glue-libs:

git clone https://github.com/jerdoe/glue_libs_sso.git 
cd glue_libs_sso/sso-support
mvn package

export MY_GLUE_LIBS_DIR=<path/to/your/aws-glue-libs>
export MY_GLUE_REGION=<your_glue_region> #e.g: ap-south-1

cp target/sso*.jar ${MY_GLUE_LIBS_DIR}/jarsv1
python3 ../configure-glue-region.py ${MY_GLUE_REGION} -o ${MY_GLUE_LIBS_DIR}/jarsv1/glue-conf.jar
python3 ../edit-hadoop-config-sso.py -j ${MY_GLUE_LIBS_DIR}/jarsv1/core-site-xml.jar

[joshhamann]

A less awful way is to do this is to set this in ~/.aws/config:

[profile foo]
credential_process=aws configure export-credentials --profile=your-sso-profile

Then you should be able to use profile foo without the need for wrapping calls in scripts. It's not ideal but 🤷🏻‍♂️

Thanks for this, it feels like a pretty non-invasive solution that worked for me!

[barryoneill]

np - be mindful though that it can be slower than a regular profile