| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071 |
- // Package ssocreds provides a credential provider for retrieving temporary AWS
- // credentials using an SSO access token.
- //
- // IMPORTANT: The provider in this package does not initiate or perform the AWS
- // SSO login flow. The SDK provider expects that you have already performed the
- // SSO login flow using AWS CLI using the "aws sso login" command, or by some
- // other mechanism. The provider must find a valid non-expired access token for
- // the AWS SSO user portal URL in ~/.aws/sso/cache. If a cached token is not
- // found, it is expired, or the file is malformed an error will be returned.
- //
- // # Loading AWS SSO credentials with the AWS shared configuration file
- //
- // You can use configure AWS SSO credentials from the AWS shared configuration file by
- // providing the specifying the required keys in the profile:
- //
- // sso_account_id
- // sso_region
- // sso_role_name
- // sso_start_url
- //
- // For example, the following defines a profile "devsso" and specifies the AWS
- // SSO parameters that defines the target account, role, sign-on portal, and
- // the region where the user portal is located. Note: all SSO arguments must be
- // provided, or an error will be returned.
- //
- // [profile devsso]
- // sso_start_url = https://my-sso-portal.awsapps.com/start
- // sso_role_name = SSOReadOnlyRole
- // sso_region = us-east-1
- // sso_account_id = 123456789012
- //
- // Using the config module, you can load the AWS SDK shared configuration, and
- // specify that this profile be used to retrieve credentials. For example:
- //
- // config, err := config.LoadDefaultConfig(context.TODO(), config.WithSharedConfigProfile("devsso"))
- // if err != nil {
- // return err
- // }
- //
- // # Programmatically loading AWS SSO credentials directly
- //
- // You can programmatically construct the AWS SSO Provider in your application,
- // and provide the necessary information to load and retrieve temporary
- // credentials using an access token from ~/.aws/sso/cache.
- //
- // client := sso.NewFromConfig(cfg)
- //
- // var provider aws.CredentialsProvider
- // provider = ssocreds.New(client, "123456789012", "SSOReadOnlyRole", "us-east-1", "https://my-sso-portal.awsapps.com/start")
- //
- // // Wrap the provider with aws.CredentialsCache to cache the credentials until their expire time
- // provider = aws.NewCredentialsCache(provider)
- //
- // credentials, err := provider.Retrieve(context.TODO())
- // if err != nil {
- // return err
- // }
- //
- // It is important that you wrap the Provider with aws.CredentialsCache if you
- // are programmatically constructing the provider directly. This prevents your
- // application from accessing the cached access token and requesting new
- // credentials each time the credentials are used.
- //
- // # Additional Resources
- //
- // Configuring the AWS CLI to use AWS Single Sign-On:
- // https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
- //
- // AWS Single Sign-On User Guide:
- // https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
- package ssocreds
|
