code.dwrz.net

Go monorepo.
Log | Files | Refs

doc.go (2965B)

      1 // Package ssocreds provides a credential provider for retrieving temporary AWS
      2 // credentials using an SSO access token.
      3 //
      4 // IMPORTANT: The provider in this package does not initiate or perform the AWS
      5 // SSO login flow. The SDK provider expects that you have already performed the
      6 // SSO login flow using AWS CLI using the "aws sso login" command, or by some
      7 // other mechanism. The provider must find a valid non-expired access token for
      8 // the AWS SSO user portal URL in ~/.aws/sso/cache. If a cached token is not
      9 // found, it is expired, or the file is malformed an error will be returned.
     10 //
     11 // # Loading AWS SSO credentials with the AWS shared configuration file
     12 //
     13 // You can use configure AWS SSO credentials from the AWS shared configuration file by
     14 // providing the specifying the required keys in the profile:
     15 //
     16 //	sso_account_id
     17 //	sso_region
     18 //	sso_role_name
     19 //	sso_start_url
     20 //
     21 // For example, the following defines a profile "devsso" and specifies the AWS
     22 // SSO parameters that defines the target account, role, sign-on portal, and
     23 // the region where the user portal is located. Note: all SSO arguments must be
     24 // provided, or an error will be returned.
     25 //
     26 //	[profile devsso]
     27 //	sso_start_url = https://my-sso-portal.awsapps.com/start
     28 //	sso_role_name = SSOReadOnlyRole
     29 //	sso_region = us-east-1
     30 //	sso_account_id = 123456789012
     31 //
     32 // Using the config module, you can load the AWS SDK shared configuration, and
     33 // specify that this profile be used to retrieve credentials. For example:
     34 //
     35 //	config, err := config.LoadDefaultConfig(context.TODO(), config.WithSharedConfigProfile("devsso"))
     36 //	if err != nil {
     37 //	    return err
     38 //	}
     39 //
     40 // # Programmatically loading AWS SSO credentials directly
     41 //
     42 // You can programmatically construct the AWS SSO Provider in your application,
     43 // and provide the necessary information to load and retrieve temporary
     44 // credentials using an access token from ~/.aws/sso/cache.
     45 //
     46 //	client := sso.NewFromConfig(cfg)
     47 //
     48 //	var provider aws.CredentialsProvider
     49 //	provider = ssocreds.New(client, "123456789012", "SSOReadOnlyRole", "us-east-1", "https://my-sso-portal.awsapps.com/start")
     50 //
     51 //	// Wrap the provider with aws.CredentialsCache to cache the credentials until their expire time
     52 //	provider = aws.NewCredentialsCache(provider)
     53 //
     54 //	credentials, err := provider.Retrieve(context.TODO())
     55 //	if err != nil {
     56 //	    return err
     57 //	}
     58 //
     59 // It is important that you wrap the Provider with aws.CredentialsCache if you
     60 // are programmatically constructing the provider directly. This prevents your
     61 // application from accessing the cached access token and requesting new
     62 // credentials each time the credentials are used.
     63 //
     64 // # Additional Resources
     65 //
     66 // Configuring the AWS CLI to use AWS Single Sign-On:
     67 // https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
     68 //
     69 // AWS Single Sign-On User Guide:
     70 // https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
     71 package ssocreds