steampipe-plugin-aws icon indicating copy to clipboard operation
steampipe-plugin-aws copied to clipboard

Published 20 hours ago verified publisher icon turbot

Add support for config file SSO authentication without storing temporary creds

Open cbruno10 opened this issue 3 years ago • 6 comments

Is your feature request related to a problem? Please describe.

If I have profile information in my ~/.aws/config file and use SSO config, e.g.,

# [profile sso1]
# sso_start_url = https://d-12345.awsapps.com/start
# sso_region = us-east-1
# sso_account_id = 012345678912
# sso_role_name = my_sso_admin
# region = us-east-1
# output = json

I need to login with aws sso login first in order for the plugin to work.

Describe the solution you'd like I'd like for authentication to work without needing to store temporary credentials or running aws sso login.

Describe alternatives you've considered N/A

Additional context Add any other context or screenshots about the feature request here.

cbruno10 avatar Nov 05 '21 21:11 cbruno10

A blog post from AWS does include a step for running aws sso login ... from the CLI in order to authenticate with the Go SDKs (v1 and v2) - https://aws.amazon.com/blogs/developer/aws-sso-support-in-the-aws-sdk-for-go/.

I'm not sure if there's a way around this step, will need more investigation.

cbruno10 avatar Nov 06 '21 03:11 cbruno10

So this is a complicated topic, however, it's useful for people to understand you only need to call aws sso login once per SSO provide. That is if you have 5 AWS account in your AWS Org, all protected by the single SSO system. If you log in to any profile, the SDK's can use that to then auth to the other accounts.

As a result of all of this the connection_config.go for AWS could do something like...

func runAWSLogin(profile string) (error, string, string) {
    pre_split_cmd := "aws sso login --profile="+profile
    cmd := exec.Command(strings.Split(pre_split_cmd, " "))
    stdout, _ := cmd.StdoutPipe()
    if err := cmd.Start(); err != nil {
       log.Fatal(err)
    }
    timer := time.AfterFunc(30 * time.Second, func() {
        cmd.Process.Kill()
    }) 
    scanner := bufio.NewScanner(stdout)
    scanner.Split(bufio.ScanWords)
    for scanner.Scan() {
        m := scanner.Text()
        fmt.Println(m)
    }
   err := cmd.Wait()
}

The awscli hold this function open for up to 30 seconds until you go to the URL and approve the request. At this point, steampipe could finish the start and use SSO to login to any profiles selected.

So my real question is while this could be solved as above using exec the larger question is "SHOULD" it be?

dbmurphy avatar Dec 17 '21 20:12 dbmurphy

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] avatar Feb 18 '22 23:02 github-actions[bot]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] avatar Apr 25 '22 23:04 github-actions[bot]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] avatar Jul 03 '22 23:07 github-actions[bot]

'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 30 days.'

github-actions[bot] avatar Sep 26 '22 23:09 github-actions[bot]

'This issue was closed because it has been stalled for 90 days with no activity.'

github-actions[bot] avatar Oct 27 '22 23:10 github-actions[bot]