fix(credential-provider-ini): support sso-session based profile as source_profile #4820
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
+1 |
|
This is an issue preventing some tooling we're trying to build for our internal processes from moving forward. It would be great to get this merged. |
3 tasks
…urce_profile Previously, when credential-provider-ini resolved credentials for a source profile, it loaded the profile properties, checked if the profile was an SSO profile, validated that all required sso_* properties were present and then resolved credentials with credential-provider-sso module. When source profile was an SSO profile that did not use an SSO session, this logic worked fine as the profile must include all the sso_* properties for SSO to succeed. However, when source profile was an SSO profile that used an SSO session, credential-provider-ini only resolved profile properties directly from the profile but not from the related SSO session. This caused sso-session based profiles to fail validation as some of the required sso_* properties are only defined in the referenced sso-session section. And hence the provider failed to resolve credentials for SSO session based source_profiles. This commit changes credential-provider-ini module to not resolve or validate SSO profile properties but delegate that all to the credential-provider-sso module that already contains all the logic needed to load and resolve profile properties and AWS credentials for both sso-session and non-sso-session based profiles. Instead of passing profile properties to credential-provider-sso fromSSO() method, new version only passes the profile name there and lets the credential-provider-sso module load and resolve the SSO profile with the logic that already exist in that module. Unit tests have been adjusted to function with the updated behavior. Following scenarios were also tested manually: * Resolve credentials for SSO profile without sso_session option * Resolve credentials for SSO profile with sso_session option * Resolve credentials for an assumed role profile whose source profile is an SSO profile without sso_session option * Resolve credentials for an assumed role profile whose source profile is an SSO profile with sso_session option AWS SDK resolved credentials correctly in all four cases. Fixes aws#4757.
sjakthol
force-pushed
the
source-profile-sso-session
branch
from
f674cc1 to
b3fd438
Compare
|
I've rebased this on top of changes from #5681 that were merged in earlier today. I've stashed the original changes to sjakthol@a53d2ba in case they are still needed for some reason. |
kuhe
approved these changes
Jan 29, 2024
siddsriv
approved these changes
Jan 30, 2024
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue
Fixes #4757.
Description
Previously, when credential-provider-ini resolved credentials for a source profile, it loaded the profile properties, checked if the profile was an SSO profile, validated that all required sso_* properties were present and then resolved credentials with credential-provider-sso module.
When source profile was an SSO profile that did not use an SSO session, this logic worked fine as the profile must include all the sso_* properties for SSO to succeed. However, when source profile was an SSO profile that used an SSO session, credential-provider-ini only resolved profile properties directly from the profile but not from the related SSO session.
This caused sso-session based profiles to fail validation as some of the required sso_* properties are only defined in the referenced sso-session section. And hence the provider failed to resolve credentials for SSO session based source_profiles.
This commit changes credential-provider-ini module to not resolve or validate SSO profile properties but delegate that all to the credential-provider-sso module that already contains all the logic needed to load and resolve profile properties and AWS credentials for both sso-session and non-sso-session based profiles.
Instead of passing profile properties to credential-provider-sso fromSSO() method, new version only passes the profile name there and lets the credential-provider-sso module load and resolve the SSO profile with the logic that already exist in that module.
Testing
Unit tests have been adjusted to function with the updated behavior.
Following scenarios were also tested manually:
AWS SDK resolved credentials correctly in all four cases.
Additional context
N/A
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.