Add support for bearer authentication and SSO token providers

[rcoh]

Describe the feature

Add support for bearer-token authentication & sso-session

Use Case

these changes are required to support AWS Code Catalyst and the smithy.api#httpBearerAuth trait

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

A note for the community

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue, please leave a comment

[goenning]

Is there a workaround for this? SSO sessions are becoming increasingly more popular. If not, any hints on what changes are necessary to have this implemented?

[Velfi]

We're working on this and we expect it to be complete at or before GA. I can't give a date for GA at this time.

[utkarshgupta137]

Our team has configured AWS CLI using aws configure sso & it was working fine until the 0.55 release. Is it possible some change regressed this (perhaps unintentional) support?

[rcoh]

My guess is it's related to profile-file reparsing—we "fixed" a "bug" where we were reloading the profile file multiple times which caused this to work by coincidence. However, no other SDKs have this behavior so for consistency, we altered the SDK to parse the config file a single time.

I would expect that this works once, but maybe fails later? Or it works if you run aws configure sso first but not if the app is already running?

Some debug logs would also be helpful here.

[utkarshgupta137]

We're using it in a CLI tool right now. So I'm doing aws sso login followed by cargo run -p <crate> -- <args>. Just reverting the versions worked for us. Not using it in any app.
Can you share the env/config for logging?

[rcoh]

https://docs.aws.amazon.com/sdk-for-rust/latest/dg/logging.html just be careful to redact any sensitive data prior to sending

[rcoh]

cc @ysaito1001, I wonder if this is related to credentials caching changes. If you're preloading this doesn't seem to be related to the profile parse issue.

[utkarshgupta137]

Before:

20230522-14:58:21.591 [I] provide_credentials{provider=default_chain} load_credentials{provider=Profile} constructed abstract provider from config file chain=ProfileChain { base: Sso { sso_account_id: "XXXX", sso_region: "eu-west-1", sso_role_name: "XXXX", sso_start_url: "https://XXXX.awsapps.com/start" }, chain: [] }
20230522-14:58:21.591 [I] provide_credentials{provider=default_chain} load_credentials{provider=Profile} first credentials will be loaded from Sso { sso_account_id: "XXXX", sso_region: "eu-west-1", sso_role_name: "XXXX", sso_start_url: "https://XXXX.awsapps.com/start" } base=Sso { sso_account_id: "XXXX", sso_region: "eu-west-1", sso_role_name: "XXXX", sso_start_url: "https://XXXX.awsapps.com/start" }
20230522-14:58:22.612 [I] provide_credentials{provider=default_chain} load_credentials{provider=Profile} loaded base credentials creds=Credentials { provider_name: "SSO", access_key_id: "XXXX", secret_access_key: "** redacted **", expires_after: "2023-05-23T02:58:21Z" }

After:

20230522-14:59:13.017 [I] provide_credentials{provider=default_chain} load_credentials{provider=Profile} constructed abstract provider from config file chain=ProfileChain { base: Sso { sso_account_id: "XXXX", sso_region: "eu-west-1", sso_role_name: "XXXX", sso_start_url: "https://XXXX.awsapps.com/start" }, chain: [] }
20230522-14:59:13.017 [W] provide_credentials{provider=default_chain} provider failed to provide credentials provider=Profile error=the credentials provider was not properly configured: ProfileFile provider could not be built: profile referenced `sso` provider but that provider is not supported (InvalidConfiguration(InvalidConfiguration { source: "ProfileFile provider could not be built: profile referenced `sso` provider but that provider is not supported" }))

Sidenote: there should be an easy way to automatically redact sensitive data.

[rcoh]

do you use credential_source in your profile? If possible an anonymized version of your profile file would be very helpful

[rcoh]

ah! I found it—are you using no-default-features? You need to add credentials_sso

[utkarshgupta137]

do you use credential_source in your profile? If possible an anonymized version of your profile file would be very helpful

Nope.

ah! I found it—are you using no-default-features? You need to add credentials_sso

Yep, that fixed it. Would've been nice to have a better error message or a mention in the changelogs.

[rcoh]

yep I'm fixing the error as we speak, new error:

the credentials provider was not properly configured: ProfileFile provider could not be built: This behavior requires following cargo feature(s) enabled: credentials-sso 

[gyuho]

@rcoh We also ran into this error:

"ProfileFile provider could not be built: profile ... was not defined: sso_region was missing"

[profile ...]
sso_session = ...
sso_account_id = ...
sso_role_name = ...
region = us-west-2

[sso-session ava]
sso_start_url = https://....awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access

[mohsen-alizadeh]

any update?

[jdisanti]

Sorry for the long delay in providing an update here. I'm working on adding this support now. It'll take a while, so I appreciate everyone's patience.

[akbog]

What's the timeline on this? This sso nonsense has been broken in aws sdks across the board for wayy too long

[rcoh]

work is ongoing: smithy-lang/smithy-rs#2917

[vmaerten]

First of all, thanks for your hard work, this feature is highly appreciated!

Since the PR has been merged, do you have an ETA for the next release?

Thanks

[jdisanti]

Just to clarify, for that PR, it's making the existing credentials provider work with the latest CLI. It's not adding SSO token support to the AWS config/profile files (e.g., ~/.aws/credentials). That will still require more work.

We should be releasing in the next 2-3 weeks.

[vaneek]

This also appears to be broken with Cloud9 using AWS managed temporary credentials.

$ cargo lambda deploy
Error: × failed to create function role
├─▶ service error
├─▶ unhandled error
├─▶ unhandled error
╰─▶ Error { code: "InvalidClientTokenId", message: "The security token included in the request is invalid", request_id: "01406350-d28b-4873-a31c-4d64d0936b4a" }

[jdisanti]

This was resolved in error. Re-opening.

The config/profile file support and token provider chains still need to be implemented.

[nresare]

For people just looking for a workaround to be able to use aws-sdk-rust when using the currently recommended way to grant privileges to developers, AIM Identity Center, you need the following:

1. Enable the sso feature in the aws-config create configuration in your Cargo.toml
2. Manually edit your $HOME/.aws/config to merge the contents of the profile you want to use with the referenced sso-session. This undoes the changes that are described in this PR
3. Obtain new tokens using aws sso login and your web browser

This is a snippet that I use from my Cargo.toml:

[dependencies]
aws-config = {  version="0.57.1" , features = ["sso"]}
aws-sdk-sts = "0.35.0"

And these are the changes I made to my (anonymised) $HOME/.aws/config

--- config.old	2023-11-14 21:39:14
+++ config	2023-11-14 21:39:32
@@ -1,10 +1,8 @@
 [default]
-sso_session = s0
 sso_account_id = 87654321098
 sso_role_name = AdministratorAccess
 region = eu-north-1
 output = json
-[sso-session s0]
 sso_start_url = https://d-deadbeef.awsapps.com/start#
 sso_region = eu-north-1
 sso_registration_scopes = sso:account:access

Hopefully, teaching aws-sdk-rust the new style $HOME/.aws/config sso config with the sso_session is not too far off, and steps 2 and 3 will no longer be needed.

[athielen2]

Any timeline for this being implemented and released?

[rustrust]

Just ran into this, it would be great if this was resolved soon. In the meantime, here is an example of my working ~/.aws/config file.

[default]
sso_account_id = 012345678901
sso_role_name = FooBarAccess
region = us-foobartown-1
output = json
sso_start_url = https://foobarapp.awsapps.com/start#/
sso_region = us-foobartown-1
sso_registration_scopes = sso:account:access

To deploy the lambda:

cargo lambda deploy --iam-role FULL_ROLE_ARN --region us-east-1 --region us-candyland-1 --profile default

But the profile and region are optional in that command given the above config.

[jdisanti]

Any timeline for this being implemented and released?

Can't give a timeline, but I'm picking up work on this again. Hopefully soon.

[jdisanti]

The January 25th release of the SDK includes support for [sso-session] in the AWS config file for SSO assume role credentials.

I'll continue working on SSO bearer token auth to support CodeCatalyst.

[RDarrylR]

Thanks a lot for this! I will check it out soon.

[bryantbiggs]

@jdisanti does that mean #699 is complete?

[jdisanti]

Yeah, updated.

[jdisanti]

The bearer token support went out in yesterday's release.

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.