Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Credential Chaining to Automatically Load SSO Profiles from INI config #2848

Open
1 of 2 tasks
exussum12 opened this issue Nov 29, 2023 · 4 comments
Open
1 of 2 tasks

Enable Credential Chaining to Automatically Load SSO Profiles from INI config #2848

exussum12 opened this issue Nov 29, 2023 · 4 comments
Labels
feature-request A feature should be added or improved. p3 This is a minor priority issue

Comments

@exussum12
Copy link

exussum12 commented Nov 29, 2023
edited
Loading

Describe the feature

I am hoping to follow this workflow

aws configure sso or aws sso login --profile=something

Commands on the AWS CLI work, I am hoping to be able to use the same profile (something in the case above) to be able to reuse in php scripts

Use Case

Removing long lived keys for local development

Proposed Solution

The sso logs to a few files (~/.aws/sso/cache)

These should be scanned when looking for a profile being passed current behaviour is
PHP Fatal error: Uncaught Aws\Exception\CredentialsException: 'something' not found in credentials file in /tmp/aws/vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php:826

Other Information

This should ideally work for rules assumed via other accounts. That has a seperate storage (.aws/cli/cache)

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

SDK version used

Latest

Environment details (Version of PHP (php -v)? OS name and version, etc.)

php 8.2
@exussum12 exussum12 added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 29, 2023
@exussum12
Copy link
Author

exussum12 commented Nov 29, 2023
edited
Loading

So this does work as follows

'credentials' =>  CredentialProvider::sso('something'),

In a construct, not sure if the profile should pick it up? That is how the CLI works

Digging into this some more, if a profile is passed the ini loader is called, which does not support SSO. Any objections to moving that to a chain? First a standard profile and fall back to a SSO profile

@yenfryherrerafeliz yenfryherrerafeliz added needs-review p3 This is a minor priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Feb 16, 2024
@RanVaknin
Copy link
Contributor

Hi @exussum12 ,

Sorry for the long wait. We have discussed this as a team but are confused about the ask here.
Can you please provide a minimal snippet (imports, client instantiation and config) that highlights what you are trying to do?

Thanks,
Ran

@RanVaknin RanVaknin added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-review labels Aug 19, 2024
@exussum12
Copy link
Author

exussum12 commented Aug 21, 2024
edited
Loading

Hi

Assuming you have SSO set up called prod_sso.

<?php
require_once './vendor/autoload.php';


use Aws\DynamoDb\DynamoDbClient;

$dynamoDbClient = DynamoDbClient::factory(array(
    'profile' => 'prod_sso',
    'region'  => 'eu-west-1',
));
var_dump($dynamoDbClient->listTables());

PHP Fatal error: Uncaught Aws\Exception\CredentialsException: 'prod_sso' not found in credentials file in /tmp/aws/vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php:846

The CLI works

aws --profile=prod_sso dynamodb list-tables

for full clarity

[profile prod_sso]
sso_start_url = https://theUrl/start
sso_region = eu-west-1
sso_account_id = 99999999
sso_role_name = RoleIWishToAssume
region = eu-west-1
output = json

set up from aws configure sso

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Aug 22, 2024
@RanVaknin RanVaknin changed the title Use of SSO roles for PHP CLI Enable Credential Chaining to Automatically Load SSO Profiles from INI config Oct 4, 2024
@RanVaknin
Copy link
Contributor

Hi @exussum12 thanks for the clarification. I updated the title to better reflect the request.

Thanks,
Ran~

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved. p3 This is a minor priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@exussum12 @yenfryherrerafeliz @RanVaknin