Skip to content

feat: SSO creds resolver #1958

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 71 commits into from
Jun 23, 2025
Merged

feat: SSO creds resolver #1958

Show file tree
Hide file tree
Changes from 64 commits
Commits
Show all changes
71 commits
Select commit Hold shift + click to select a range
6795e09
Rough draft implementation w/ generated internal STS client.
Jun 2, 2025
34110d2
Resolve circular dependency issues with custom internal STS client ge…
Jun 2, 2025
d7f7973
Changed AWSSDKIdentity dependencies; required for custom internal ser…
Jun 2, 2025
5736a0e
Merge main into feat/sts-web-identity-creds-resolver.
Jun 2, 2025
d5d1673
Remove throws keyword from STS web identity creds resolver initializer.
Jun 2, 2025
b38d3fd
Remove unnecessary import.
Jun 3, 2025
4cb29a8
Add missing dependency to AWSSDKEventStreamsAuthTests
Jun 3, 2025
5794bc3
Temp release manifest logic change for internal build test
Jun 3, 2025
d594231
Revert "Temp release manifest logic change for internal build test"
Jun 3, 2025
4e91782
Filter STS client generated in AWSSDKIdentity to contain only the ass…
Jun 3, 2025
117fbe2
Undo accidental removal.
Jun 3, 2025
a42d5e0
ktlint
Jun 3, 2025
7fdd73a
Delete old FieldResolver.
Jun 3, 2025
42bf26e
Limit visibility of plugins generated for internal use.
Jun 3, 2025
874db10
Newly generated internal STS with internal access levels for everything.
Jun 3, 2025
a15f5d1
Refactor SSOBearerTokenIdentityResolver to be ready for token refresh…
Jun 5, 2025
3c7b1ec
Refactor internal service client codegen changes to accommodate more …
Jun 5, 2025
3403985
Swiftlint & ktlint
Jun 5, 2025
2518d6d
Add missing return stmt
Jun 5, 2025
d354c67
Make internal service client relocation during gradle build generic i…
Jun 5, 2025
f930815
Fix staging location bug in codegen for internal clients. This comit …
Jun 5, 2025
fd17646
Delete accidentally commited generated endpoint reoslver tests for STS.
Jun 5, 2025
24dcd28
Complete SSO token provide refactor.
Jun 6, 2025
4c102b7
Delete accidentally committed generated endpoint reoslver test
Jun 6, 2025
2e2fe06
Generic-fy the model preprocessing & build script for internal servic…
Jun 6, 2025
e5e0a72
Make runtime module changes in AWSSDKIdentity, needed for dependency …
Jun 9, 2025
79de694
Add attribute key for internal STS client.
Jun 10, 2025
1d91db1
Add InternalAWSSTS as dependency to service clients.
Jun 10, 2025
11cc78f
Codegen changes for constructing & saving IdentityResolvingSTSClient …
Jun 10, 2025
8306959
Add IdentityProvidingSTSClient construction into rules based auth sch…
Jun 11, 2025
e746831
ktlint
Jun 11, 2025
02f072b
Fix IdentityProvidingSTSClient codegen location.
Jun 11, 2025
bd40a8c
Fix import in writer & add IdentityProvidingSTSClientIntegration to M…
Jun 11, 2025
e8124d4
Fix SwiftDeclaration type for AWSCredentialIdentityResolverError.
Jun 11, 2025
a4a5cec
Commit most up to date generated InternalAWSSTS.
Jun 11, 2025
3e75e06
Add generated Package.swift for reference in PR.
Jun 11, 2025
5fa33e4
Update codegen test.
Jun 11, 2025
e328aa1
Add InternalAWSSTS to protocol test package manifest.
Jun 11, 2025
612e765
Revert "Add InternalAWSSTS to protocol test package manifest."
Jun 11, 2025
e3a26f5
Skip auth option customization w/ internal service clients for protoc…
Jun 11, 2025
087e32c
ktlint
Jun 11, 2025
bf0d9d7
Add Sendable conformance to IdentityProvidingSTSClient protocol in AW…
Jun 11, 2025
89a1217
Merge feat/sts-web-identity-creds-resolver into feat/sso-creds-resolver
Jun 12, 2025
54bee08
Add dependency inversion protocols for SSO and SSOOIDC clients in AWS…
Jun 12, 2025
d23ebcc
Everything required for dependency inversion for SSO and SSO OIDC exc…
Jun 12, 2025
0f0af49
Add codegen for IdentityProvidingSSOClient and IdentityProvidingSSOOI…
Jun 13, 2025
60b728c
Newly generated internal clients & codegen bug fixes.
Jun 13, 2025
56b21e7
Fix bug where wrong field was being copied into clientSecret.
Jun 13, 2025
3bfd6ba
Reduce code duplication in SSO cred resolver when fetching config val…
Jun 16, 2025
595c264
Merge branch 'main' into feat/sts-web-identity-creds-resolver
sichanyoo Jun 17, 2025
7b92ee7
Update internal STS client.
Jun 17, 2025
a894abd
Add generated internal service clients under AWSSDKIdentity as files …
Jun 17, 2025
39ed7d3
Merge branch 'main' into feat/sts-web-identity-creds-resolver
Jun 17, 2025
1bb811d
Update stage files unit test.
Jun 17, 2025
03d3e02
Merge branch 'feat/sts-web-identity-creds-resolver' into feat/sso-cre…
Jun 17, 2025
edb086b
Re-codegen internal SSO and SSO OIDC.
Jun 17, 2025
483f959
Merge main into feat/sso-creds-resolver
Jun 17, 2025
dec8217
ktlint & swiftlint
Jun 17, 2025
a06496b
Add codegen for SSO and SSOOIDC internal clients into rules based aut…
Jun 17, 2025
16b4628
Remove conflict marker from base package.
Jun 17, 2025
a29a275
Remove conflict markers from genreated package manifest.
Jun 17, 2025
bf2c873
Add missing try keyword to unit test for SSO token provider.
Jun 17, 2025
241476b
ktlint & remove unit test that tests logic that was removed; profile …
Jun 17, 2025
7c86429
Remove conflict marker in InternalAWSSTS/AuthSchemeResolver.
Jun 17, 2025
419e781
Merge branch 'main' into feat/sso-creds-resolver
Jun 18, 2025
5821aa2
Merge branch 'main' into feat/sso-creds-resolver
Jun 20, 2025
f0cdab3
Add legacy token flow.
Jun 20, 2025
43184a3
Add missing import
Jun 20, 2025
8ec0fc2
Add empty line between methods to generated IdentityProvidingXYZClien…
Jun 23, 2025
b304503
Merge branch 'main' into feat/sso-creds-resolver
Jun 23, 2025
679f15d
Merge branch 'main' into feat/sso-creds-resolver
sichanyoo Jun 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions AWSSDKSwiftCLI/Sources/AWSSDKSwiftCLI/Resources/Package.Base.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,54 @@ private var runtimeTargets: [Target] {
],
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adds two new targets: InternalAWSSSO and InternalAWSSSOOIDC. Just like InternalAWSSTS, they are service clients generated for internal use with only the couple operations needed for the SSO credential resolver.

path: "Sources/Core/AWSSDKIdentity/Sources/InternalAWSSTS"
),
.target(
name: "InternalAWSSSO",
dependencies: [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these internal client dependencies the same list as for a public AWS service client?

Copy link
Contributor Author

@sichanyoo sichanyoo Jun 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only difference is that public AWS service clients also depend on the internal client targets, but internal client targets don't depend on any other internal clients.

.clientRuntime,
.awsClientRuntime,
.smithyRetriesAPI,
.smithyRetries,
.smithy,
.smithyIdentity,
.smithyIdentityAPI,
.smithyEventStreamsAPI,
.smithyEventStreamsAuthAPI,
.smithyEventStreams,
.smithyChecksumsAPI,
.smithyChecksums,
.smithyWaitersAPI,
.awsSDKCommon,
.awsSDKIdentity,
.awsSDKHTTPAuth,
.awsSDKEventStreamsAuth,
.awsSDKChecksums,
],
path: "Sources/Core/AWSSDKIdentity/Sources/InternalAWSSSO"
),
.target(
name: "InternalAWSSSOOIDC",
dependencies: [
.clientRuntime,
.awsClientRuntime,
.smithyRetriesAPI,
.smithyRetries,
.smithy,
.smithyIdentity,
.smithyIdentityAPI,
.smithyEventStreamsAPI,
.smithyEventStreamsAuthAPI,
.smithyEventStreams,
.smithyChecksumsAPI,
.smithyChecksums,
.smithyWaitersAPI,
.awsSDKCommon,
.awsSDKIdentity,
.awsSDKHTTPAuth,
.awsSDKEventStreamsAuth,
.awsSDKChecksums,
],
path: "Sources/Core/AWSSDKIdentity/Sources/InternalAWSSSOOIDC"
),
.target(
name: "AWSSDKChecksums",
dependencies: [.crt, .smithy, .clientRuntime, .smithyChecksumsAPI, .smithyChecksums, .smithyHTTPAPI],
Expand Down Expand Up @@ -224,6 +272,8 @@ private func target(_ service: String) -> Target {
.awsSDKEventStreamsAuth,
.awsSDKChecksums,
"InternalAWSSTS",
"InternalAWSSSO",
"InternalAWSSSOOIDC",
],
path: "Sources/Services/\(service)/Sources/\(service)"
)
Expand Down
50 changes: 50 additions & 0 deletions Package.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -593,6 +593,54 @@ private var runtimeTargets: [Target] {
],
path: "Sources/Core/AWSSDKIdentity/Sources/InternalAWSSTS"
),
.target(
name: "InternalAWSSSO",
dependencies: [
.clientRuntime,
.awsClientRuntime,
.smithyRetriesAPI,
.smithyRetries,
.smithy,
.smithyIdentity,
.smithyIdentityAPI,
.smithyEventStreamsAPI,
.smithyEventStreamsAuthAPI,
.smithyEventStreams,
.smithyChecksumsAPI,
.smithyChecksums,
.smithyWaitersAPI,
.awsSDKCommon,
.awsSDKIdentity,
.awsSDKHTTPAuth,
.awsSDKEventStreamsAuth,
.awsSDKChecksums,
],
path: "Sources/Core/AWSSDKIdentity/Sources/InternalAWSSSO"
),
.target(
name: "InternalAWSSSOOIDC",
dependencies: [
.clientRuntime,
.awsClientRuntime,
.smithyRetriesAPI,
.smithyRetries,
.smithy,
.smithyIdentity,
.smithyIdentityAPI,
.smithyEventStreamsAPI,
.smithyEventStreamsAuthAPI,
.smithyEventStreams,
.smithyChecksumsAPI,
.smithyChecksums,
.smithyWaitersAPI,
.awsSDKCommon,
.awsSDKIdentity,
.awsSDKHTTPAuth,
.awsSDKEventStreamsAuth,
.awsSDKChecksums,
],
path: "Sources/Core/AWSSDKIdentity/Sources/InternalAWSSSOOIDC"
),
.target(
name: "AWSSDKChecksums",
dependencies: [.crt, .smithy, .clientRuntime, .smithyChecksumsAPI, .smithyChecksums, .smithyHTTPAPI],
Expand Down Expand Up @@ -656,6 +704,8 @@ private func target(_ service: String) -> Target {
.awsSDKEventStreamsAuth,
.awsSDKChecksums,
"InternalAWSSTS",
"InternalAWSSSO",
"InternalAWSSSOOIDC",
],
path: "Sources/Services/\(service)/Sources/\(service)"
)
Expand Down
83 changes: 73 additions & 10 deletions ...rces/AWSSDKIdentity/AWSCredentialIdentityResolvers/SSOAWSCredentialIdentityResolver.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,19 @@
// SPDX-License-Identifier: Apache-2.0
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Uses SSOBearerTokenIdentityResolver to fetch SSO token and makes request to SSO::getRoleCredentials with it to fetch temporary AWS credentials. The SSO client used here is the internal client, instantiated and passed off to the resolver here from public service clients' auth scheme resolvers.

//

import class AwsCommonRuntimeKit.CredentialsProvider
import protocol SmithyIdentity.AWSCredentialIdentityResolver
import struct Smithy.Attributes
import ClientRuntime
import protocol SmithyIdentity.AWSCredentialIdentityResolvedByCRT
import class Foundation.ProcessInfo
import enum Smithy.ClientError
@_spi(FileBasedConfig) import AWSSDKCommon

/// A credential identity resolver that resolves credentials using GetRoleCredentialsRequest to the AWS Single Sign-On Service to maintain short-lived sessions.
/// [Details link](https://docs.aws.amazon.com/sdkref/latest/guide/feature-sso-credentials.html)
public struct SSOAWSCredentialIdentityResolver: AWSCredentialIdentityResolvedByCRT {
public let crtAWSCredentialIdentityResolver: AwsCommonRuntimeKit.CredentialsProvider
public struct SSOAWSCredentialIdentityResolver: AWSCredentialIdentityResolver {
private let configFilePath: String?
private let credentialsFilePath: String?
private let profileName: String?

/// - Parameters:
/// - profileName: The profile name to use. If not provided it will be resolved internally via the `AWS_PROFILE` environment variable or defaulted to `default` if not configured.
Expand All @@ -24,15 +28,74 @@ public struct SSOAWSCredentialIdentityResolver: AWSCredentialIdentityResolvedByC
configFilePath: String? = nil,
credentialsFilePath: String? = nil
) throws {
self.profileName = profileName
self.configFilePath = configFilePath
self.credentialsFilePath = credentialsFilePath
}

public func getIdentity(identityProperties: Attributes?) async throws -> AWSCredentialIdentity {
guard let identityProperties, let internalSSOClient = identityProperties.get(
key: InternalClientKeys.internalSSOClientKey
) else {
throw AWSCredentialIdentityResolverError.failedToResolveAWSCredentials(
"SSOAWSCredentialIdentityResolver: "
+ "Missing IdentityProvidingSSOClient in identity properties."
)
}

let fileBasedConfig = try CRTFileBasedConfiguration(
configFilePath: configFilePath,
credentialsFilePath: credentialsFilePath
)
self.crtAWSCredentialIdentityResolver = try AwsCommonRuntimeKit.CredentialsProvider(source: .sso(
bootstrap: SDKDefaultIO.shared.clientBootstrap,
tlsContext: SDKDefaultIO.shared.tlsContext,
fileBasedConfiguration: fileBasedConfig,
profileFileNameOverride: profileName
))
let resolvedProfileName = self.profileName ?? ProcessInfo.processInfo.environment["AWS_PROFIE"] ?? "default"
let (accountID, roleName, region) = try fetchSSOConfigFromSharedConfigFile(
profileName: resolvedProfileName,
fileBasedConfig: fileBasedConfig
)

let ssoToken = try await SSOBearerTokenIdentityResolver(
profileName: resolvedProfileName,
configFilePath: configFilePath
).getIdentity(identityProperties: identityProperties)

return try await internalSSOClient.getCredentialsWithSSOToken(
region: region,
accessToken: ssoToken.token,
accountID: accountID,
roleName: roleName
)
}

private func fetchSSOConfigFromSharedConfigFile(
profileName: String,
fileBasedConfig: CRTFileBasedConfiguration
) throws -> (accountID: String, roleName: String, region: String) {
// Get `sso_account_id` and `sso_role_name` properties.
let ssoAccountID = try getProperty(profileName, .profile, "sso_account_id", fileBasedConfig)
let ssoRoleName = try getProperty(profileName, .profile, "sso_role_name", fileBasedConfig)

// Get `sso_region` property from sso-session section referenced by the profile section..
let ssoSessionName = try getProperty(profileName, .profile, "sso_session", fileBasedConfig)
let ssoRegion = try getProperty(ssoSessionName, .ssoSession, "sso_region", fileBasedConfig)

return (ssoAccountID, ssoRoleName, ssoRegion)
}

private func getProperty(
_ sectionName: String,
_ sectionType: CRTFileBasedConfiguration.SectionType,
_ propertyName: String,
_ fileBasedConfig: CRTFileBasedConfiguration
) throws -> String {
guard let value = fileBasedConfig
.getSection(name: sectionName, sectionType: sectionType)?
.getProperty(name: propertyName)?
.value
else {
throw ClientError.dataNotFound(
"Failed to retrieve \(propertyName) from \(sectionName) \(sectionType) section."
)
}
return value
}
}
Loading
Loading