Support for sso_session in .aws/config

[bjornin]

Describe the bug

I'm going to piggyback on this issue aws/aws-sdk-go#4649 since the description is the same.

It seems AWS cli configures the shared aws config with a new reusable sso_session section that is not parsed.

Expected Behavior

aws_config able to use a configured sso-session (sso_region, sso_start_url) from the AWS cli.

Current Behavior

supplied snippets will fail with

caller Err(ConstructionFailure(ConstructionFailure { source: CredentialsStageError { source: InvalidConfiguration(InvalidConfiguration { source: "ProfileFile provider could not be built: profile `test` was not defined: `sso_region` was missing" }) } }))

or

caller Err(ConstructionFailure(ConstructionFailure { source: CredentialsStageError { source: InvalidConfiguration(InvalidConfiguration { source: "ProfileFile provider could not be built: profile `default` was not defined: `sso_region` was missing" }) } }))

respectively

If I add sso_region to a profile it will instead complain about a missing sso_start_url

caller Err(ConstructionFailure(ConstructionFailure { source: CredentialsStageError { source: InvalidConfiguration(InvalidConfiguration { source: "ProfileFile provider could not be built: profile `test` was not defined: `sso_start_url` was missing" }) } }))

Reproduction Steps

.aws/config

[sso-session sso]
sso_start_url = https://<my-url>.awsapps.com/start
sso_region = <my-region>
sso_registration_scopes = sso:account:access

[profile test]
sso_session = sso
sso_account_id = <my-account-id>
sso_role_name = <my-role-name>
region = <my-region>

[default]
sso_session = sso
sso_account_id = <my-account-id>
sso_role_name = <my-role-name>
region = <my-region>

Test with specific profile:

use aws_sdk_sts::{Client, Error};

#[tokio::main]
async fn main() -> Result<(), Error>{
    let config = aws_config::from_env()
        .credentials_provider(
            aws_config::profile::ProfileFileCredentialsProvider::builder()
            .profile_name("test")
            .build()
        )
        .load()
        .await;

    let sts = Client::new(&config);
    let caller_identity = sts.get_caller_identity().send().await;

    println!("caller {:?}", caller_identity);

    Ok(())
}

Test without profile:

use aws_sdk_sts::{Client, Error};

#[tokio::main]
async fn main() -> Result<(), Error>{
    let config = aws_config::from_env()
        .load()
        .await;

    let sts = Client::new(&config);
    let caller_identity = sts.get_caller_identity().send().await;

    println!("caller {:?}", caller_identity);

    Ok(())
}

Possible Solution

No response

Additional Information/Context

No response

Version

aws-sso-rust v0.1.0 (/workspaces/aws-sso-rust)
├── aws-config v0.52.0
│   ├── aws-http v0.52.0
│   │   ├── aws-smithy-http v0.52.0
│   │   │   ├── aws-smithy-types v0.52.0
│   │   ├── aws-smithy-types v0.52.0 (*)
│   │   ├── aws-types v0.52.0
│   │   │   ├── aws-smithy-async v0.52.0
│   │   │   ├── aws-smithy-client v0.52.0
│   │   │   │   ├── aws-smithy-async v0.52.0 (*)
│   │   │   │   ├── aws-smithy-http v0.52.0 (*)
│   │   │   │   ├── aws-smithy-http-tower v0.52.0
│   │   │   │   │   ├── aws-smithy-http v0.52.0 (*)
│   │   │   │   │   ├── aws-smithy-types v0.52.0 (*)
│   │   │   │   ├── aws-smithy-types v0.52.0 (*)
│   │   │   ├── aws-smithy-http v0.52.0 (*)
│   │   │   ├── aws-smithy-types v0.52.0 (*)
│   ├── aws-sdk-sso v0.22.0
│   │   ├── aws-endpoint v0.52.0
│   │   │   ├── aws-smithy-http v0.52.0 (*)
│   │   │   ├── aws-smithy-types v0.52.0 (*)
│   │   │   ├── aws-types v0.52.0 (*)
│   │   ├── aws-http v0.52.0 (*)
│   │   ├── aws-sig-auth v0.52.0
│   │   │   ├── aws-sigv4 v0.52.0
│   │   │   │   ├── aws-smithy-http v0.52.0 (*)
│   │   │   ├── aws-smithy-http v0.52.0 (*)
│   │   │   ├── aws-types v0.52.0 (*)
│   │   ├── aws-smithy-async v0.52.0 (*)
│   │   ├── aws-smithy-client v0.52.0 (*)
│   │   ├── aws-smithy-http v0.52.0 (*)
│   │   ├── aws-smithy-http-tower v0.52.0 (*)
│   │   ├── aws-smithy-json v0.52.0
│   │   │   └── aws-smithy-types v0.52.0 (*)
│   │   ├── aws-smithy-types v0.52.0 (*)
│   │   ├── aws-types v0.52.0 (*)
│   ├── aws-sdk-sts v0.22.0
│   │   ├── aws-endpoint v0.52.0 (*)
│   │   ├── aws-http v0.52.0 (*)
│   │   ├── aws-sig-auth v0.52.0 (*)
│   │   ├── aws-smithy-async v0.52.0 (*)
│   │   ├── aws-smithy-client v0.52.0 (*)
│   │   ├── aws-smithy-http v0.52.0 (*)
│   │   ├── aws-smithy-http-tower v0.52.0 (*)
│   │   ├── aws-smithy-query v0.52.0
│   │   │   ├── aws-smithy-types v0.52.0 (*)
│   │   ├── aws-smithy-types v0.52.0 (*)
│   │   ├── aws-smithy-xml v0.52.0
│   │   ├── aws-types v0.52.0 (*)
│   ├── aws-smithy-async v0.52.0 (*)
│   ├── aws-smithy-client v0.52.0 (*)
│   ├── aws-smithy-http v0.52.0 (*)
│   ├── aws-smithy-http-tower v0.52.0 (*)
│   ├── aws-smithy-json v0.52.0 (*)
│   ├── aws-smithy-types v0.52.0 (*)
│   ├── aws-types v0.52.0 (*)
├── aws-sdk-sts v0.22.0 (*)

Environment details (OS name and version, etc.)

Linux 125dda4b772a 5.15.82-0-virt #1-Alpine SMP Mon, 12 Dec 2022 09:15:17 +0000 aarch64 GNU/Linux

Logs

No response

[rcoh]

You are correct—we haven't implemented support for sso-session yet in the Rust SDK. I've created #703 to track.

[bjornin]

Thank you

[vmaerten]

Hi !
I am facing the same problem, as #703 as been merged and released, I've updated to 0.57.1, but I still have this error :

DispatchFailure(DispatchFailure { source: ConnectorError { kind: Other(None), source: InvalidConfiguration(InvalidConfiguration { source: \"ProfileFile provider could not be built: profile `dev` was not defined: `sso_region` was missing\" }), connection: Unknown } }))" }'

With this config file (output of aws sso configure) :

[sso-session mysession]
sso_start_url = https://YYYYYYYY.awsapps.com/start/
sso_region = eu-west-1
sso_registration_scopes = sso:account:access


[profile dev]
sso_session = mysession
sso_account_id = XXXXXXXXX
sso_role_name = AdministratorAccess
region = eu-west-1
output = json

and this code :

#[tokio::main]
pub async fn main() {
    let config = aws_config::load_from_env().await;
    let s3_client = aws_sdk_s3::Client::new(&config);
    let bucket = s3_client.list_buckets().send().await.unwrap();
    println!("bucket: {:?}", bucket);
}

Cargo.toml :

[dependencies]
aws-config = { version =  "0.57.1", features = [ "rustls","sso" ] }
aws-types = { version = "0.57.1" }
aws-credential-types = { version = "0.57.1" }
aws-sdk-s3 = { version = "0.35.0", features = ["rustls", "rt-tokio"]}
tokio = { version = "1.32.0", features = ["full"] }

Is this intended to work @rcoh ? Should I submit a new issue or a discussion?

Thanks a lot for your help!

[jdisanti]

Sorry, I haven't gotten to implementing the profile file changes for this feature yet. I think it has a better chance of working if you manually setup the SsoCredentialsProvider for now rather than using the default credentials chain and profile file.

[vmaerten]

Thanks for your answer, very clear.
I'll try to setup it up manually!
For the implementation in default credentials chain, should I follow this issue or create a new one ?

[jdisanti]

This is the main tracking issue: #703

[jdisanti]

The January 25th release of the SDK includes support for [sso-session] in the AWS config file for SSO assume role credentials.

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.