-
Notifications
You must be signed in to change notification settings - Fork 80
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Add SSO credentials provider (#1084)
* Add SSO credentials provider wrapper & unit test cases. --------- Co-authored-by: Sichan Yoo <chanyoo@amazon.com>
- Loading branch information
Showing
3 changed files
with
100 additions
and
0 deletions.
There are no files selected for viewing
36 changes: 36 additions & 0 deletions
36
Sources/Core/AWSClientRuntime/Auth/CredentialsProviders/SSOCredentialsProvider.swift
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| // | ||
| // Copyright Amazon.com Inc. or its affiliates. | ||
| // All Rights Reserved. | ||
| // | ||
| // SPDX-License-Identifier: Apache-2.0 | ||
| // | ||
|
|
||
| import AwsCommonRuntimeKit | ||
| import ClientRuntime | ||
|
|
||
| /// A credentials provider that sources credentials using GetRoleCredentialsRequest to the AWS Single Sign-On Service to maintain short-lived sessions. | ||
| /// [Details link](https://docs.aws.amazon.com/sdkref/latest/guide/feature-sso-credentials.html) | ||
| public struct SSOCredentialsProvider: CredentialsSourcedByCRT { | ||
| let crtCredentialsProvider: CRTCredentialsProvider | ||
|
|
||
| /// - Parameters: | ||
| /// - profileName: The profile name to use. If not provided it will be resolved internally via the `AWS_PROFILE` environment variable or defaulted to `default` if not configured. | ||
| /// - configFilePath: The path to the configuration file to use. If not provided it will be resolved internally via the `AWS_CONFIG_FILE` environment variable or defaulted to `~/.aws/config` if not configured. | ||
| /// - credentialsFilePath: The path to the shared credentials file to use. If not provided it will be resolved internally via the `AWS_SHARED_CREDENTIALS_FILE` environment variable or defaulted `~/.aws/credentials` if not configured. | ||
| public init( | ||
| profileName: String? = nil, | ||
| configFilePath: String? = nil, | ||
| credentialsFilePath: String? = nil | ||
| ) throws { | ||
| let fileBasedConfig = try CRTFileBasedConfiguration( | ||
| configFilePath: configFilePath, | ||
| credentialsFilePath: credentialsFilePath | ||
| ) | ||
| self.crtCredentialsProvider = try CRTCredentialsProvider(source: .sso( | ||
| bootstrap: SDKDefaultIO.shared.clientBootstrap, | ||
| tlsContext: SDKDefaultIO.shared.tlsContext, | ||
| fileBasedConfiguration: fileBasedConfig, | ||
| profileFileNameOverride: profileName | ||
| )) | ||
| } | ||
| } |
47 changes: 47 additions & 0 deletions
47
...re/AWSClientRuntimeTests/Auth/CredentialsProvidersTests/SSOCredentialsProviderTests.swift
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| // | ||
| // Copyright Amazon.com Inc. or its affiliates. | ||
| // All Rights Reserved. | ||
| // | ||
| // SPDX-License-Identifier: Apache-2.0 | ||
| // | ||
|
|
||
| import ClientRuntime | ||
| import Foundation | ||
| import XCTest | ||
|
|
||
| @_spi(FileBasedConfig) @testable import AWSClientRuntime | ||
|
|
||
| class SSOCredentialsProviderTests: XCTestCase { | ||
| let configPath = Bundle.module.path(forResource: "sso_tests", ofType: nil)! | ||
| let credentialsPath = Bundle.module.path(forResource: "credentials", ofType: nil)! | ||
|
|
||
| func testCreateCredentialsProviderSSONonexistentProfile() async throws { | ||
| XCTAssertThrowsError(try SSOCredentialsProvider( | ||
| profileName: "PROFILE_NOT_IN_SSO_TESTS_CONFIG_FILE", | ||
| configFilePath: configPath, | ||
| credentialsFilePath: credentialsPath | ||
| ) | ||
| ) | ||
| } | ||
|
|
||
| func testCreateCredentialsProviderSSOLegacyProfile() async throws { | ||
| _ = try SSOCredentialsProvider( | ||
| profileName: "user", | ||
| configFilePath: configPath, | ||
| credentialsFilePath: credentialsPath | ||
| ) | ||
| // SUCCESS: creation didn't throw error | ||
| } | ||
|
|
||
| func testCreateCredentialsProviderSSOTokenProviderProfile() async throws { | ||
| _ = try SSOCredentialsProvider( | ||
| profileName: "dev", | ||
| configFilePath: configPath, | ||
| credentialsFilePath: credentialsPath | ||
| ) | ||
| // SUCCESS: creation didn't throw error | ||
| } | ||
|
|
||
| // TODO: add integration tests that automatically test that SSO crednetials provider correctly exchanges SSO token for temporary AWS credentails. | ||
| // Manual integration testing confirmed SSOCredentialsProvider works as of 081723. | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| [profile dev] | ||
| sso_session = my-sso | ||
| sso_account_id = 111122223333 | ||
| sso_role_name = SampleRole | ||
|
|
||
| [sso-session my-sso] | ||
| sso_region = us-east-1 | ||
| sso_start_url = https://my-sso-portal.awsapps.com/start | ||
| sso_registration_scopes = sso:account:access | ||
|
|
||
| [profile user] | ||
| aws_access_key_id = example_access_key_id | ||
| aws_secret_access_key = example_secret_access_key | ||
| sso_start_url = https://d-test.awsapps.com/start | ||
| sso_region = us-west-2 | ||
| sso_account_id = 12345 | ||
| sso_role_name = roleName |