Add sso token provider #4853
Add sso token provider #4853
Conversation
# Conflicts: # CHANGELOG_PENDING.md
There was a problem hiding this comment.
Overall looks good, some suggestions and few things to address.
Also this PR should be made to a feature branch not to main. Create a new branch from main and target that as the destination branch. You will then use that to create additional feature branches from until we are ready to merge the entire thing back to main
e.g.
git fetch
git checkout -b feat-sso-session origin/main
git push -u origin feat-sso-sessionfeat-sso-session is your "main" branch to work from now and target PRs to. As you merge feature branches into.
| package ssocreds | ||
|
|
||
| import ( | ||
| "context" |
There was a problem hiding this comment.
fix: Use aws.Context in place of context.Context, the former is a shim for context.Context that works on older Go versions
| return nil | ||
| } | ||
|
|
||
| func loadCachedAccessToken(filename string) (cachedToken, error) { |
There was a problem hiding this comment.
Question Given this comes from gov2 is there any reason we changed the name from loadCachedToken to loadCachedAccessToken?
There was a problem hiding this comment.
I will change it back. Previously I thought it is mainly used to retrieve access token from cached file.
| return err | ||
| } | ||
|
|
||
| parse, err := time.Parse(time.RFC3339, value) |
There was a problem hiding this comment.
fix: This duplicates the logic below, just call parseRFC3339
e.g.
*r, err = parseRFC3339(value)
return err| @@ -0,0 +1,49 @@ | |||
| package ssocreds | |||
There was a problem hiding this comment.
fix: This should either be renamed to remove the notion of bearer OR move it to a new package. I think I'd go with the latter (moving it) should we decide we want/need to implement bearer token auth support.
e.g.
aws/credentials/bearer
token.go
| // create token. | ||
| // | ||
| // The SSOTokenProvider is not safe to use concurrently. The SDK's | ||
| // config.LoadDefaultConfig will automatically wrap the SSOTokenProvider with |
There was a problem hiding this comment.
fix: This documentation needs to remove smithy-go and aws-sdk-go-v2 references (e.g. LoadDefaultConfig is not part of Go v1)
| return token, nil | ||
| } | ||
|
|
||
| func ToTime(p *time.Time) (v time.Time) { |
There was a problem hiding this comment.
fix: No reason to be public
CHANGELOG_PENDING.md
Outdated
| @@ -3,3 +3,5 @@ | |||
| ### SDK Enhancements | |||
|
|
|||
| ### SDK Bugs | |||
| * `ssocreds`: Add sso token provider logic. | |||
There was a problem hiding this comment.
There will only be one changelog entry for this entire body of work so this could be better.
e.g.
* `aws/credentials/ssocreds`: Implement SSO token provider and support for `sso-session` in AWS shared config.
* Fixes [4649](https://github.com/aws/aws-sdk-go/issues/4649)
# Conflicts: # CHANGELOG_PENDING.md
# Conflicts: # CHANGELOG_PENDING.md
|
based on @aajtodd comments here
Right now, the PR description sounds like you are solving the whole feature in this PR. is that the case? based on what Aaron said, it sounds like you should have a but it looks like you are creating one big PR and continually adding commits to it, which isnt the recommendation. so please clarify what your PR strategy is here and update the PR description appropriately. |
So the current PR branch only includes sso token provider code and its changelog entry, the last several commits just try to refresh the PR's check by changing a word in changelog content. |
aws/credentials/bearer/token.go
Outdated
| @@ -0,0 +1,49 @@ | |||
| package bearer | |||
There was a problem hiding this comment.
to echo one of @aajtodd comments earlier, its good that you removed this out of the ssocreds package. but i think this tokenprovider should be out of the credentials package completely.
it should be aws/bearer/token.go. this is because a token provider is not necessarily a "credentials" based auth, its its own thing. we just happen to be using it as a utility mechanism: use the token provider as a means of getting an access token that we then send to the SSO service to get aws credentials.
for example, StaticTokenProvider has no business being under the credentials package
| "time" | ||
| ) | ||
|
|
||
| var osUserHomeDur = shareddefaults.UserHomeDir |
There was a problem hiding this comment.
i get what youre doing here: you seem to be saving it out to a variable so you can inject over it in the test case. but id bias towards descriptive difference in naming rather than intentional misspelling. something like resolvedOsUserHomeDir or injectableOsUserHomeDir
| @@ -0,0 +1,191 @@ | |||
| //go:build go1.16 | |||
There was a problem hiding this comment.
fix: Use the minimum version you need to here, I would think that is just 1.7 like the other files. Why is this so high?
There was a problem hiding this comment.
1.7 still doesn't support testing fields like Name, I will change it to 1.9 which is the same as credential provider test
aws/bearer/token.go
Outdated
| @@ -0,0 +1,49 @@ | |||
| package bearer | |||
There was a problem hiding this comment.
Discuss: Is this where we want this to live? I can understand @isaiahvita point about it not being AWS Credentials (although if you take "credentials" more generically to mean any kind of credential then aws/credentials/bearer would be an ok package). This new package hierarchy doesn't make sense either though (aws/bearer). Perhaps a new top level auth package (auth/bearer)?
There was a problem hiding this comment.
ah ok, i see were split on this, lets discuss thiss offline.
when i think of "credentials", i dont think of a "token" as a type of credentials, it is its own medium of authNZ: a token. but i do admit my concept of "credentials" is heavily influenced by aws' usage of the concept "credentials". but, if were thinking of "credentials" as the all-encompassing medium of authNZ, then that would work.
also, to clarify my preference was more for aws/token and not so much aws/bearer
There was a problem hiding this comment.
additionally, if we look at this file
https://github.com/aws/aws-sdk-go/blob/main/aws/credentials/credentials.go#L74
the naming of Value seems to imply that its definition is what a "credentials" is. if it were to leave open the possibility of other types of credentials we would need a name for the credentials that is composed of "awsaccesskey,awssecretkey,awssessiontoken": so it would be something like AWSCredentials and TokenCredentials
Add sso token provider to enable sso credential provider retrieving access token from it. Will resolve #4649 with following PRs on this branch