feat(sso): use SSOTokenProvider in SSOCredentialProvider

Author: kuhe

packages/credential-provider-ini/src/resolveSsoCredentials.ts

@@ -4,10 +4,11 @@ import { SsoProfile } from "@aws-sdk/credential-provider-sso";
 export { isSsoProfile } from "@aws-sdk/credential-provider-sso";
 
 export const resolveSsoCredentials = (data: Partial<SsoProfile>) => {
-  const { sso_start_url, sso_account_id, sso_region, sso_role_name } = validateSsoProfile(data);
+  const { sso_start_url, sso_account_id, sso_session, sso_region, sso_role_name } = validateSsoProfile(data);
   return fromSSO({
     ssoStartUrl: sso_start_url,
     ssoAccountId: sso_account_id,
+    ssoSession: sso_session,
     ssoRegion: sso_region,
     ssoRoleName: sso_role_name,
   })();

packages/credential-provider-sso/src/fromSSO.ts

@@ -13,6 +13,12 @@ export interface SsoCredentialsParameters {
    */
   ssoStartUrl: string;
 
+  /**
+   * SSO session identifier.
+   * Presence implies usage of the SSOTokenProvider.
+   */
+  ssoSession?: string;
+
   /**
    * The ID of the AWS account to use for temporary credentials.
    */
@@ -36,35 +42,65 @@ export interface FromSSOInit extends SourceProfileInit {
 /**
  * Creates a credential provider that will read from a credential_process specified
  * in ini files.
+ *
+ * The SSO credential provider must support both
+ *
+ * 1. the legacy profile format,
+ * @example
+ * ```
+ * [profile sample-profile]
+ * sso_account_id = 012345678901
+ * sso_region = us-east-1
+ * sso_role_name = SampleRole
+ * sso_start_url = https://www.....com/start
+ * ```
+ *
+ * 2. and the profile format for SSO Token Providers.
+ * @example
+ * ```
+ * [profile sso-profile]
+ * sso_session = dev
+ * sso_account_id = 012345678901
+ * sso_role_name = SampleRole
+ *
+ * [sso-session dev]
+ * sso_region = us-east-1
+ * sso_start_url = https://www.....com/start
+ * ```
  */
 export const fromSSO =
   (init: FromSSOInit & Partial<SsoCredentialsParameters> = {}): CredentialProvider =>
   async () => {
-    const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient } = init;
-    if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName) {
+    const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, ssoSession } = init;
+    if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName && !ssoSession) {
       // Load the SSO config from shared AWS config file.
       const profiles = await parseKnownFiles(init);
       const profileName = getProfileName(init);
       const profile = profiles[profileName];
 
+      // TODO(sso): merge [sso-session X] data into the profile if sso_session exists in it.
+      // TODO(sso): if the sso profile and the sso-session both have region and start URL,
+      // TODO(sso):    they must match or an error shall be thrown.
+
       if (!isSsoProfile(profile)) {
         throw new CredentialsProviderError(`Profile ${profileName} is not configured with SSO credentials.`);
       }
 
-      const { sso_start_url, sso_account_id, sso_region, sso_role_name } = validateSsoProfile(profile);
+      const { sso_start_url, sso_account_id, sso_region, sso_role_name, sso_session } = validateSsoProfile(profile);
       return resolveSSOCredentials({
         ssoStartUrl: sso_start_url,
+        ssoSession: sso_session,
         ssoAccountId: sso_account_id,
         ssoRegion: sso_region,
         ssoRoleName: sso_role_name,
         ssoClient: ssoClient,
       });
-    } else if (!ssoStartUrl || !ssoAccountId || !ssoRegion || !ssoRoleName) {
+    } else if (!ssoStartUrl || !ssoAccountId || !ssoRegion || !ssoRoleName || !ssoSession) {
       throw new CredentialsProviderError(
-        'Incomplete configuration. The fromSSO() argument hash must include "ssoStartUrl",' +
-          ' "ssoAccountId", "ssoRegion", "ssoRoleName"'
+        'Incomplete configuration. The fromSSO() argument hash must include "ssoAccountId",' +
+          ' "ssoRegion", "ssoRoleName", and one of "ssoStartUrl" or "ssoSession".'
       );
     } else {
-      return resolveSSOCredentials({ ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient });
+      return resolveSSOCredentials({ ssoStartUrl, ssoSession, ssoAccountId, ssoRegion, ssoRoleName, ssoClient });
     }
   };

packages/credential-provider-sso/src/isSsoProfile.ts

@@ -9,5 +9,6 @@ export const isSsoProfile = (arg: Profile): arg is Partial<SsoProfile> =>
   arg &&
   (typeof arg.sso_start_url === "string" ||
     typeof arg.sso_account_id === "string" ||
+    typeof arg.sso_session === "string" ||
     typeof arg.sso_region === "string" ||
     typeof arg.sso_role_name === "string");

packages/credential-provider-sso/src/resolveSSOCredentials.ts

@@ -17,6 +17,7 @@ const SHOULD_FAIL_CREDENTIAL_CHAIN = false;
 
 export const resolveSSOCredentials = async ({
   ssoStartUrl,
+  ssoSession,
   ssoAccountId,
   ssoRegion,
   ssoRoleName,
@@ -25,6 +26,10 @@ export const resolveSSOCredentials = async ({
   let token: SSOToken;
   const refreshMessage = `To refresh this SSO session run aws sso login with the corresponding profile.`;
   try {
+    // TODO(sso): if (ssoSession)
+    // TODO(sso): { use SSOTokenProvider }
+
+    // TODO(sso): else
     token = await getSSOTokenFromFile(ssoStartUrl);
   } catch (e) {
     throw new CredentialsProviderError(

packages/credential-provider-sso/src/types.ts

@@ -16,7 +16,8 @@ export interface SSOToken {
  * @internal
  */
 export interface SsoProfile extends Profile {
-  sso_start_url: string;
+  sso_start_url?: string;
+  sso_session?: string;
   sso_account_id: string;
   sso_region: string;
   sso_role_name: string;

packages/credential-provider-sso/src/validateSsoProfile.ts

@@ -6,13 +6,13 @@ import { SsoProfile } from "./types";
  * @internal
  */
 export const validateSsoProfile = (profile: Partial<SsoProfile>): SsoProfile => {
-  const { sso_start_url, sso_account_id, sso_region, sso_role_name } = profile;
-  if (!sso_start_url || !sso_account_id || !sso_region || !sso_role_name) {
+  const { sso_start_url, sso_account_id, sso_session, sso_region, sso_role_name } = profile;
+  if ((!sso_start_url && !sso_session) || !sso_account_id || !sso_region || !sso_role_name) {
     throw new CredentialsProviderError(
-      `Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", "sso_region", ` +
-        `"sso_role_name", "sso_start_url". Got ${Object.keys(profile).join(
-          ", "
-        )}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`,
+      `Profile is configured with invalid SSO credentials. Required parameters "sso_region", ` +
+        `"sso_role_name", "sso_account_id", and one of "sso_start_url" or "sso_session". Got ${Object.keys(
+          profile
+        ).join(", ")}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`,
       false
     );
   }