aws icon indicating copy to clipboard operation
aws copied to clipboard

Published 20 hours ago verified publisher icon async-aws

SSO authentication with token provider configuration not working

Open Loic-Hakisa opened this issue 10 months ago • 1 comments

Hello, In this doc we can use two way to authenticate with sso using php sdk (SSO token provider & legacy configuration) : https://docs.aws.amazon.com/sdkref/latest/guide/feature-sso-credentials.html#feature-sso-credentials-profile

With aws/aws-sdk-php version 3.262.4, only legacy configuration is working, but with 3.281.15 SSO token provider configuration work too. Maybe since this commit : https://github.com/aws/aws-sdk-php/pull/2628/files

Because we use async-aws with https://github.com/symfony/amazon-sqs-messenger , we need these packages and version to have sso config working : "async-aws/core": "^1.20", "async-aws/sso": "^0.1.0",

But it only allow us to use legacy sso configuration, SSO token provider configuration is not working for async, messenger component show this error : [messenger] No credentials found for profile "test". ["profile" => "test"]

we found in vendors code that we are using chainProvider from async-aws/core (IniFileProvider) who don't allow to use "sso_session" in profile from config file but the chainProvider CredentialProvider from aws/aws-sdk-php can use sso_session and the SSO token provider configuration. With async-aws/core the only function now implemented for sso is getCredentialsFromLegacySso($profileData, $profile);

These is our ~/.aws/config who work with messenger component : [profile test] sso_start_url = https://test.awsapps.com/start sso_region = eu-central-1 sso_account_id = 123 sso_role_name = test region = eu-central-1 output = json

And this one only work with aws-sdk-php for synchronous requests (s3/...), but not for async-aws with symfony messenger (error No credentials found for profile) :

[profile test] sso_session = my-sso sso_account_id = 123456 sso_role_name = test region = eu-central-1 output = json [sso-session my-sso] sso_region = eu-central-1 sso_start_url = https://test.awsapps.com/start sso_registration_scopes = sso:account:access

Do you know if there is a workaround or if we need to wait for awsync-core to enabled SSO token provider ? Do you have any roadmap on it ?

Loic-Hakisa avatar Oct 04 '23 09:10 Loic-Hakisa