smithy-lang · jdisanti · Oct 17, 2023 · Aug 11, 2023 · Aug 11, 2023 · Aug 14, 2023
@@ -20,62 +20,62 @@ jobs:
     name: Verify TLS configuration
     runs-on: ubuntu-latest
     steps:
-      - name: Install packages
-        shell: bash
-        run: |
-          sudo apt-get update
-          sudo apt-get -y install gcc make python3-pip nginx git ruby openjdk-17-jre pkg-config libssl-dev faketime
-          pip3 install certbuilder crlbuilder
-      - name: Stop nginx
-        run: sudo systemctl stop nginx
-      - name: Checkout smithy-rs
-        uses: actions/checkout@v3
-        with:
-          path: ./smithy-rs
-      - name: Checkout trytls
-        uses: actions/checkout@v3
-        with:
-          repository: ouspg/trytls
-          path: ./trytls
-      - name: Checkout badtls
-        uses: actions/checkout@v3
-        with:
-          repository: wbond/badtls.io
-          path: ./badtls.io
-      - name: Checkout badssl
-        uses: actions/checkout@v3
-        with:
-          repository: chromium/badssl.com
-          path: ./badssl.com
-      - name: Install Rust
-        uses: dtolnay/rust-toolchain@master
-        with:
-          toolchain: ${{ env.rust_version }}
-      - name: Build badssl.com
-        shell: bash
-        working-directory: badssl.com
-        env:
-          DOCKER_BUILDKIT: 1
-        run: ../smithy-rs/tools/ci-scripts/configure-tls/configure-badssl
-      - name: Build SDK
-        working-directory: smithy-rs
-        run: ./gradlew :aws:sdk:assemble -Paws.services=+sts,+sso
-      - name: Build trytls
-        shell: bash
-        working-directory: trytls
-        run: ../smithy-rs/tools/ci-scripts/configure-tls/configure-trytls
-      - name: Build badtls.io
-        working-directory: badtls.io
-        shell: bash
-        run: ../smithy-rs/tools/ci-scripts/configure-tls/configure-badtls
-      - name: Update TLS configuration
-        shell: bash
-        run: smithy-rs/tools/ci-scripts/configure-tls/update-certs
-      - name: Build TLS stub
-        working-directory: smithy-rs/tools/ci-resources/tls-stub
-        shell: bash
-        run: cargo build
-      - name: Test TLS configuration
-        working-directory: smithy-rs/tools
-        shell: bash
-        run: trytls https target/debug/stub
+    - name: Install packages
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo apt-get -y install gcc make python3-pip nginx git ruby openjdk-17-jre pkg-config libssl-dev faketime
+        pip3 install certbuilder crlbuilder
+    - name: Stop nginx
+      run: sudo systemctl stop nginx
+    - name: Checkout smithy-rs
+      uses: actions/checkout@v3
+      with:
+        path: ./smithy-rs
+    - name: Checkout trytls
+      uses: actions/checkout@v3
+      with:
+        repository: ouspg/trytls
+        path: ./trytls
+    - name: Checkout badtls
+      uses: actions/checkout@v3
+      with:
+        repository: wbond/badtls.io
+        path: ./badtls.io
+    - name: Checkout badssl
+      uses: actions/checkout@v3
+      with:
+        repository: chromium/badssl.com
+        path: ./badssl.com
+    - name: Install Rust
+      uses: dtolnay/rust-toolchain@master
+      with:
+        toolchain: ${{ env.rust_version }}
+    - name: Build badssl.com
+      shell: bash
+      working-directory: badssl.com
+      env:
+        DOCKER_BUILDKIT: 1
+      run: ../smithy-rs/tools/ci-scripts/configure-tls/configure-badssl
+    - name: Build SDK
+      working-directory: smithy-rs
+      run: ./gradlew :aws:sdk:assemble -Paws.services=+sts,+sso,+ssooidc
+    - name: Build trytls
+      shell: bash
+      working-directory: trytls
+      run: ../smithy-rs/tools/ci-scripts/configure-tls/configure-trytls
+    - name: Build badtls.io
+      working-directory: badtls.io
+      shell: bash
+      run: ../smithy-rs/tools/ci-scripts/configure-tls/configure-badtls
+    - name: Update TLS configuration
+      shell: bash
+      run: smithy-rs/tools/ci-scripts/configure-tls/update-certs
+    - name: Build TLS stub
+      working-directory: smithy-rs/tools/ci-resources/tls-stub
+      shell: bash
+      run: cargo build
+    - name: Test TLS configuration
+      working-directory: smithy-rs/tools
+      shell: bash
+      run: trytls https target/debug/stub
@@ -11,6 +11,18 @@
 # meta = { "breaking" = false, "tada" = false, "bug" = false, "target" = "client | server | all"}
 # author = "rcoh"
 
+[[aws-sdk-rust]]
+message = "(Behavior Break!) The SSO credentials provider is no longer enabled by default in `aws-config`, and so SSO profile config will no longer work out of box. The `credentials-sso` feature in `aws-config` was removed from the default features, and renamed to `sso`. If you need credentials from SSO, then enable the `sso` feature in `aws-config`."
+references = ["smithy-rs#2917"]
+meta = { "breaking" = true, "tada" = false, "bug" = false }
+author = "jdisanti"
+
+[[aws-sdk-rust]]
+message = "The `SsoCredentialsProvider` now supports token refresh and is compatible with the token cache file paths the latest AWS CLI uses."
+references = ["smithy-rs#2917", "aws-sdk-rust#703", "aws-sdk-rust#699"]
+meta = { "breaking" = false, "tada" = true, "bug" = false }
+author = "jdisanti"
+
 [[smithy-rs]]
 message = "HTTP connector configuration has changed significantly. See the [upgrade guidance](https://github.com/awslabs/smithy-rs/discussions/3022) for details."
 references = ["smithy-rs#3011"]
@@ -323,3 +335,9 @@ For more information, see the [guide](https://github.com/awslabs/smithy-rs/discu
 references = ["smithy-rs#2417", "smithy-rs#3018"]
 meta = { "breaking" = true, "tada" = true, "bug" = false }
 author = "Velfi"
+
+[[smithy-rs]]
+message = "`RuntimeComponents` have been added as an argument to the `IdentityResolver::resolve_identity` trait function."
+references = ["smithy-rs#2917"]
+meta = { "breaking" = true, "tada" = false, "bug" = false, "target" = "client"}
+author = "jdisanti"
@@ -13,9 +13,9 @@ client-hyper = ["aws-smithy-runtime/connector-hyper-0-14-x"]
 rustls = ["aws-smithy-runtime/tls-rustls", "client-hyper"]
 allow-compilation = [] # our tests use `cargo test --all-features` and native-tls breaks CI
 rt-tokio = ["aws-smithy-async/rt-tokio", "aws-smithy-runtime/rt-tokio", "tokio/rt"]
-credentials-sso = ["dep:aws-sdk-sso", "dep:ring", "dep:hex", "dep:zeroize"]
+sso = ["dep:aws-sdk-sso", "dep:aws-sdk-ssooidc", "dep:ring", "dep:hex", "dep:zeroize", "aws-smithy-runtime-api/http-auth"]
 
-default = ["client-hyper", "rustls", "rt-tokio", "credentials-sso"]
+default = ["client-hyper", "rustls", "rt-tokio"]
 
 [dependencies]
 aws-credential-types = { path = "../../sdk/build/aws-sdk/sdk/aws-credential-types" }
@@ -46,8 +46,13 @@ ring = { version = "0.16", optional = true }
 hex = { version = "0.4.3", optional = true }
 zeroize = { version = "1", optional = true }
 
+# implementation detail of SSO OIDC `CreateToken` for SSO token providers
+aws-sdk-ssooidc = { path = "../../sdk/build/aws-sdk/sdk/ssooidc", default-features = false, optional = true }
+
 [dev-dependencies]
+aws-credential-types = { path = "../../sdk/build/aws-sdk/sdk/aws-credential-types", features = ["test-util"] }
 aws-smithy-runtime = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-runtime", features = ["client", "connector-hyper-0-14-x", "test-util"] }
+aws-smithy-runtime-api = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-runtime-api", features = ["test-util"] }
 futures-util = { version = "0.3.16", default-features = false }
 tracing-test = "0.2.1"
 tracing-subscriber = { version = "0.3.16", features = ["fmt", "json"] }
@@ -61,8 +66,6 @@ arbitrary = "1.3"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 
-aws-credential-types = { path = "../../sdk/build/aws-sdk/sdk/aws-credential-types", features = ["test-util"] }
-
 # used for a usage example
 hyper-rustls = { version = "0.24", features = ["webpki-tokio", "http2", "http1"] }
 aws-smithy-async = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-async", features = ["rt-tokio", "test-util"] }

@@ -20,6 +20,7 @@ allowed_external_types = [
    "aws_smithy_runtime_api::client::dns::SharedDnsResolver",
    "aws_smithy_runtime_api::client::http::HttpClient",
    "aws_smithy_runtime_api::client::http::SharedHttpClient",
+   "aws_smithy_runtime_api::client::identity::IdentityResolver",
    "aws_smithy_types::retry",
    "aws_smithy_types::retry::*",
    "aws_smithy_types::timeout",

@@ -295,15 +295,15 @@ mod test {
     make_test!(ecs_credentials);
     make_test!(ecs_credentials_invalid_profile);
 
-    #[cfg(not(feature = "credentials-sso"))]
-    make_test!(sso_assume_role #[should_panic(expected = "This behavior requires following cargo feature(s) enabled: credentials-sso")]);
-    #[cfg(not(feature = "credentials-sso"))]
-    make_test!(sso_no_token_file #[should_panic(expected = "This behavior requires following cargo feature(s) enabled: credentials-sso")]);
+    #[cfg(not(feature = "sso"))]
+    make_test!(sso_assume_role #[should_panic(expected = "This behavior requires following cargo feature(s) enabled: sso")]);
+    #[cfg(not(feature = "sso"))]
+    make_test!(sso_no_token_file #[should_panic(expected = "This behavior requires following cargo feature(s) enabled: sso")]);
 
-    #[cfg(feature = "credentials-sso")]
+    #[cfg(feature = "sso")]
     make_test!(sso_assume_role);
 
-    #[cfg(feature = "credentials-sso")]
+    #[cfg(feature = "sso")]
     make_test!(sso_no_token_file);
 
     #[cfg(feature = "credentials-sso")]

@@ -194,7 +194,11 @@ fn parse_token_response(response: &HttpResponse, now: SystemTime) -> Result<Toke
 }
 
 impl IdentityResolver for TokenResolver {
-    fn resolve_identity(&self, _config_bag: &ConfigBag) -> Future<Identity> {
+    fn resolve_identity(
+        &self,
+        _components: &RuntimeComponents,
+        _config_bag: &ConfigBag,
+    ) -> Future<Identity> {
         let this = self.clone();
         Future::new(Box::pin(async move {
             let preloaded_token = this

@@ -121,7 +121,7 @@ pub mod meta;
 pub mod profile;
 pub mod provider_config;
 pub mod retry;
-#[cfg(feature = "credentials-sso")]
+#[cfg(feature = "sso")]
 pub mod sso;
 pub(crate) mod standard_property;
 pub mod sts;

@@ -7,8 +7,6 @@ use super::repr::{self, BaseProvider};
 use crate::credential_process::CredentialProcessProvider;
 use crate::profile::credentials::ProfileFileError;
 use crate::provider_config::ProviderConfig;
-#[cfg(feature = "credentials-sso")]
-use crate::sso::{SsoCredentialsProvider, SsoProviderConfig};
 use crate::sts;
 use crate::web_identity_token::{StaticConfiguration, WebIdentityTokenCredentialsProvider};
 use aws_credential_types::provider::{
@@ -119,21 +117,25 @@ impl ProviderChain {
                 sso_role_name,
                 sso_start_url,
             } => {
-                #[cfg(feature = "credentials-sso")]
+                #[cfg(feature = "sso")]
                 {
+                    use crate::sso::{credentials::SsoProviderConfig, SsoCredentialsProvider};
                     use aws_types::region::Region;
+
                     let sso_config = SsoProviderConfig {
                         account_id: sso_account_id.to_string(),
                         role_name: sso_role_name.to_string(),
                         start_url: sso_start_url.to_string(),
                         region: Region::new(sso_region.to_string()),
+                        // TODO(https://github.com/awslabs/aws-sdk-rust/issues/703): Implement sso_session_name profile property
+                        session_name: None,
                     };
                     Arc::new(SsoCredentialsProvider::new(provider_config, sso_config))
                 }
-                #[cfg(not(feature = "credentials-sso"))]
+                #[cfg(not(feature = "sso"))]
                 {
                     Err(ProfileFileError::FeatureNotEnabled {
-                        feature: "credentials-sso".into(),
+                        feature: "sso".into(),
                     })?
                 }
             }