Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update shared config logic to resolve sso section #4868

Merged
merged 6 commits into from
Jun 6, 2023

Conversation

wty-Bryant
Copy link
Contributor

Update aws shared config logic to support resolving sso section in shared config file. Will resolve #4649 with following PRs on the same branch

Copy link
Contributor

@aajtodd aajtodd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall, few questions.

@@ -186,6 +197,20 @@ type sharedConfigFile struct {
IniData ini.Sections
}

// SSOSession provides the shared configuration parameters of the sso-session
// section.
type SSOSession struct {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: Should this be public?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked go v2's usage of SSOSession, it is used within config package only so I think we can change it to private

if err := cfg.validateCredentialsConfig(profile); err != nil {
return err
}
}

// if not top level profile and has credentials, return with credentials.
if len(profiles) != 0 && cfg.Creds.HasKeys() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: I'm not sure I understand why this was added, can you clarify for me what this is doing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This block is copied from go v2, it will be triggered when a source profile can get accessKey/secretAccessKey from shared config files, then the source shared config will be returned with credentials. But there might be some diff between v1 and v2's sharedConfig setting.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought this part was added to v2 for resolving credentials as well.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i still dont understand why this is needed in order to parse sso sessions? i dont think we should be copying anything from V2 just because its there that were not sure we also need.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, the remaining logic can still load the sso session for shared config. I will delete it.

var ssoSession SSOSession
ssoSession.setFromIniSection(section)
ssoSession.Name = cfg.SSOSessionName
cfg.SSOSession = &ssoSession
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: So this looks like we set a single SSoSession for the entire shared config. How does this work if we have an assume role chain? (this is mostly me trying to understand the existing Go v1 shared config loading).

e.g. with AWS_PROFILE = foo

foo doesn't directly refer to session1, what is the resulting sharedConfig struct in Go?

[profile foo]
role_arn = role1
source_profile = bar

[profile bar]
role_arn = role2
source_profile = baz


[profile baz]
role_arn = role3
sso_account_id = 1234
sso_region = us-east-1
sso_session = session1

[sso-session session1]
...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to v1's logic of resolving source profile , the current foo profile's credential will be cleaned and the referenced source profile bar will be loaded recursively to srcCfg and added as SourceProfile of foo. Finally the sharedConfig of foo will be sth like

 sharedConfig {
   Profile = foo
   SourceProfile = sharedConfig {
     Profile = bar
     SourceProfile = sharedConfig {
       Profile = baz
       SSOSessionName = session1
       SSOSession = ssoSession {
         Name = session1
       }
     }
   }
 }

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then during step of resolving user credentials from shared config, it will recursively detect source profile and resolve sso credential provider if present in sharedCfg

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great thanks for clarifying this, that is helpful.

@@ -507,6 +523,15 @@ func TestLoadSharedConfigFromFile(t *testing.T) {
S3UseARNRegion: true,
},
},
{
Profile: "sso-session-success",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Would be good to add some of the validation cases here as well, not just the happy path.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^agreed

@wty-Bryant wty-Bryant requested a review from isaiahvita June 5, 2023 18:17
if err := cfg.validateCredentialsConfig(profile); err != nil {
return err
}
}

// if not top level profile and has credentials, return with credentials.
if len(profiles) != 0 && cfg.Creds.HasKeys() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i still dont understand why this is needed in order to parse sso sessions? i dont think we should be copying anything from V2 just because its there that were not sure we also need.

// provided. If the session section is not found or incomplete an error
// will be returned.
if cfg.hasSSOTokenProviderConfiguration() {
skippedFiles = 0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does V1 only have a concept of multiple shared config files?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, in v2's sharedConfig loading, sections will be extracted from config files first, but in v1 files will be used directly to load shared config

@@ -507,6 +523,15 @@ func TestLoadSharedConfigFromFile(t *testing.T) {
S3UseARNRegion: true,
},
},
{
Profile: "sso-session-success",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^agreed

@wty-Bryant wty-Bryant merged commit 3216ed5 into feat-sso-session Jun 6, 2023
@wty-Bryant wty-Bryant deleted the feat-sso-session-shared-config branch June 6, 2023 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants