[request]: SAML Credential Provider (AssumeRoleWithSAML)

[abatkin]

trafficstars

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue, please leave a comment

Tell us about your request Add support for assuming a role using a SAML Assertion (and calling the STS AssumeRoleWithSAML API)

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? We only allow assuming an IAM Role by using SAML (i.e. authenticating to an IdP out-of-band to obtain a SAML Assertion, then exchanging that for temporary IAM credentials using an AssumeRoleWithSAML request). The cleanest way to support this use case is with a Credential Provider that that is capable of handling this automatically.

Are you currently working around this issue? Some other SDKs support this already, in particular, Java's StsAssumeRoleWithSamlCredentialsProvider

Additional context Ideally this would hook into existing infrastructure that knew how to automatically and transparently refresh credentials when needed (otherwise, a Credentials Provider isn't needed - simply call AssumeRoleWithSAML with appropriate parameters and use the returned temporary credentials directly). Obviously this will require some sort of pluggable mechanism (whether it's static/compile-time or dynamic/run-time binding I don't yet have an opinion on) to fetch a SAML assertion on-demand. Fetching a SAML Assertion could be a lengthy process (i.e. it may be necessary for the application to make network calls to another system), making the (expected) asynchronous behavior even more complicated.