feat: SSO creds resolver #1958
feat: SSO creds resolver #1958
Conversation
…nerated in AWSSDKIdentity module.
…vice clients used by creds resolvers.
This reverts commit 5794bc3.
…ume role APIs needed for credential resolvers.
…ing & caching logic.
…than one service.
…nstead of STS specific.
…includes internal SSO and SSOOIDC clients.
…e clients. Also, separate InternalAWSSTS into its own target in Package.Base.txt.
…inversion principle (DIP) so that AWSSDKIdentity doesn't directly depend on the internal STS client.
…into auth options returned by auth scheme resolver.
…eme resolver codegen & add codegen for IdentityProvidingSTSClient struct in internal AWS STS target.
…ues from shared config file.
…staged for release.
…h scheme resolver as well & update codegen test.
…existence check isn't done at initialization anymore.
| .awsSDKHTTPAuth, | ||
| .awsSDKEventStreamsAuth, | ||
| .awsSDKChecksums, | ||
| ], |
There was a problem hiding this comment.
Adds two new targets: InternalAWSSSO and InternalAWSSSOOIDC. Just like InternalAWSSTS, they are service clients generated for internal use with only the couple operations needed for the SSO credential resolver.
| // Copyright Amazon.com Inc. or its affiliates. | ||
| // All Rights Reserved. | ||
| // | ||
| // SPDX-License-Identifier: Apache-2.0 |
There was a problem hiding this comment.
Uses SSOBearerTokenIdentityResolver to fetch SSO token and makes request to SSO::getRoleCredentials with it to fetch temporary AWS credentials. The SSO client used here is the internal client, instantiated and passed off to the resolver here from public service clients' auth scheme resolvers.
| // SPDX-License-Identifier: Apache-2.0 | ||
| // | ||
|
|
||
| import protocol SmithyIdentity.BearerTokenIdentityResolver |
There was a problem hiding this comment.
SSO token resolver. The SSO token must have been previously created & cached by the user via another tool like AWS CLI. Then, this token resolver reads the cached token and refreshes it if needed.
| @@ -0,0 +1,17 @@ | |||
| // | |||
There was a problem hiding this comment.
The protocol for SSO OIDC client, used for dependency inversion. The concrete struct that conforms to this protocol is code generated at Sources/Core/AWSSDKIdentity/Sources/InternalAWSSSOOIDC/IdentityProvidingSSOOIDCClient.swift.
|
|
||
| public enum InternalClientKeys { | ||
| /// The STS client to be used in credential resolution. | ||
| public static let internalSTSClientKey = AttributeKey<any IdentityProvidingSTSClient>( |
There was a problem hiding this comment.
The attribute keys used to save instances of internal SSO / SSO OIDC clients into identityProperties of the auth options returned by auth scheme resolvers generated for each public service.
| "0.0.1", | ||
| "aws-sdk-swift", | ||
| "../../../aws-sdk-swift", | ||
| "InternalAWSSTS", |
There was a problem hiding this comment.
New target info in codegen side.
| } | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Below lines add auth option customization for SSO and SSO OIDC to rules based auth scheme resolver as well. Addition of function is just to reduce duplication above.
| @@ -0,0 +1,70 @@ | |||
| package software.amazon.smithy.aws.swift.codegen.customization.credentialresolverservices | |||
There was a problem hiding this comment.
This integration generates IdentityProvidingSSOClient struct in InternalAWSSSO target. It conforms to IdentityProvidingSSOClient protocol in AWSSDKIdentity target. Allows dependency inversion.
| @@ -0,0 +1,54 @@ | |||
| package software.amazon.smithy.aws.swift.codegen.customization.credentialresolverservices | |||
There was a problem hiding this comment.
This integration generates IdentityProvidingSSOOIDCClient struct in InternalAWSSSOOIDC target. It conforms to IdentityProvidingSSOOIDCClient protocol in AWSSDKIdentity target. Allows dependency inversion.
| class InternalModelIntegration : SwiftIntegration { | ||
| private val stsOps = | ||
| listOf( | ||
| "com.amazonaws.sts#AssumeRole", |
There was a problem hiding this comment.
For internal SSO, we only need the getRoleCredentials API.
For Internal SSO OIDC, we only need createToken API.
| let homeDir = FileManager.default.homeDirectoryForCurrentUser | ||
| #else | ||
| // On iOS, tvOS, and watchOS, use NSHomeDirectory() | ||
| let homeDir = URL(fileURLWithPath: NSHomeDirectory(), isDirectory: true) |
There was a problem hiding this comment.
Does this copy current CRT SSO behavior?
There was a problem hiding this comment.
Fetching token from home directory + .aws/sso/cache/<SHA-1-hash-of-startUrl>.json is the behavior defined in SEP for legacy token behavior, so assuming CRT implemented it to match SEP, it should be the same.
| ), | ||
| .target( | ||
| name: "InternalAWSSSO", | ||
| dependencies: [ |
There was a problem hiding this comment.
Are these internal client dependencies the same list as for a public AWS service client?
There was a problem hiding this comment.
Only difference is that public AWS service clients also depend on the internal client targets, but internal client targets don't depend on any other internal clients.
|
|
||
| package struct IdentityProvidingSSOClient: AWSSDKIdentity.IdentityProvidingSSOClient { | ||
| package init() {} | ||
| package func getCredentialsWithSSOToken(region: String, accessToken: String, accountID: String, roleName: String) async throws -> AWSSDKIdentity.AWSCredentialIdentity { |
There was a problem hiding this comment.
nit: can we get vertical whitespace between methods?
There was a problem hiding this comment.
Added writer.write("") (to add vertical white space between methods) to codegen for all IdentityProvidingXYZClient codegen customizations.
| "$authOptionName.identityProperties.set(key: \$N.internalSSOOIDCClientKey, value: \$N())", | ||
| AWSSDKIdentityTypes.InternalClientKeys, | ||
| InternalClientTypes.IdentityProvidingSSOOIDCClient, | ||
| ) |
There was a problem hiding this comment.
Q: so these clients are created and put into identity properties for every operation on every service (except for the conditions on L71 above)?
answered my own concern: Looks like these IdentityProvidingSSOClient and IdentityProvidingSSOOIDCClient structures don't initialize any clients, etc. until they're used, so the performance/memory penalty from setting these should be effectively zero.
2 participants
Issue #
2380
Description of changes
New/existing dependencies impact assessment, if applicable
Conventional Commits
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.