eventcatalog icon indicating copy to clipboard operation
eventcatalog copied to clipboard
verified publisher icon boyney123

Support AWS SSO Profiles in the Eventbridge schema generator

Open ryancormack opened this issue 1 year ago • 1 comments

Have you read the Contributing Guidelines on issues?

Description

The EB Plugin currently requires you to pass in some credentials as part of the options:

generators: [
    [
      '@eventcatalog/plugin-doc-generator-amazon-eventbridge',
      {
        eventBusName: "mw-backbone-dev",
        region: 'eu-west-1', // your region
        registryName: 'discovered-schemas', // your registry normally "discovered-schemas"
        credentials: {
          accessKeyId: '',
          secretAccessKey: '',
          sessionToken: ''
        },
      },
    ],
  ],

These get type checked here, https://github.com/boyney123/eventcatalog/blob/master/packages/eventcatalog-plugin-generator-amazon-eventbridge/src/types.ts#L11 and then passed into the AWS SDKs here, https://github.com/boyney123/eventcatalog/blob/master/packages/eventcatalog-plugin-generator-amazon-eventbridge/src/lib/aws.ts#L163-L167

This requires the keys to be set in the environment and prevents the use of AWS SSO Profiles. The AWS SDKs themselves will attempt to get credentials from an SSO Profile, the existing env variables or several other processes.

Supporting SSO Profiles would make running this easier for users locally who either can't get static short (or long) lived tokens, or who don't wish to have to copy and paste them around the place.

Proposed Solution

Given the ordering that the SDKS already attempt to resolve credentials, I would propose to make the existing inputs optional (but keeping them as the first/default choice, overriding the SDK patterns), but making it able to accept no inputs and allowing the SDKs to resolve how they wish.

Alternatively, to addresses only the issue of SSO Profiles, accepting another input of ssoProfileName and using that when defined over the other credential options.

Motivation

Being able to use different profiles to run EventCatalog locally. Needing to set credentials in the env or in text in code isn't always ideal when services like AWS SSO (or AWS IAM Identity Center as it likes to be known) are able to more securely generate credentials and even auto refresh them if needed

ryancormack avatar May 16 '24 15:05 ryancormack