-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for AWS Single Sign-on (SSO) #1402
Comments
Ok, good news, I took a look at this tonight and have some answers (and questions). First, a bit of technical background: Architect assumes that its users may (or may not) have a Users can also set credentials via standard AWS env vars ( Using An AWS credentials object instantiated via SSO can be loaded programmatically (by Architect) via the Architect uses SDK v2.1055.0 because that's what Lambda uses. Specifically: Line 47 in 9a67a41
So the primary technical challenge here is: how to instantiate these credentials programmatically, quickly, without resorting to shenanigans like having two installations of AWS SDK v2 (which clocks in at thousands of files and ~90MB). Yes, we could just upgrade the SDK to a version that supports Ok, so assuming we solve that¹, now what does the ideal solution look like in Arc-land? Some related questions:
/cc @Ankcorn ¹ I'm open to ideas on how. This module looks promising, but at best it'd probably have to be forked, as it is pretty massive due to all its CLI tooling.
|
For the record, our team does not necessarily use the same profile names, so we would not want to commit a profile name in app.arc (but if Architect required this, we could probably make it would by having our setup guide explain to our engineers that they must use a specific profile name). |
Our typical engineer setup is to have all profiles configured in our ~/.aws/config file. Our engineers generally do not have a ~/.aws/credentials file. Is this unusual? A typical entry in our ~/.aws/config file:
|
While I'm definitely not qualified to say what's usual or unusual, given what I've learned about SSO thus far, if that's what you're expected to use, that seems normal. However, any dev with a personal / side-project AWS accounts will probably have a credentials file, so I think we should assume both may be found. |
Discussed further this morning with @brianleroux and we're coming around to the idea of enabling this by upgrading |
Just want to add that I've recently started working on a project that uses SSO, but I am in that situation identified by @ryanblock that I have both an SSO profile in I think the tradeoff with AWS SDK version is reasonable. Presumably anyone who is targeting a Node.js version and related AWS SDK version below that which Arc internals require could include that locally in their project |
In my case I also needed to add |
Is your feature request related to a problem? Please describe.
My company uses AWS Single Sign-on (SSO) (recently relaunched as IAM Identity Center) to require our engineers to log into AWS and assume roles using the same credentials that we use to access our other internal services and systems.
Currently, Architect does not support this form of authentication, requiring a clumsy work-around (see below).
Architect currently complains that
AWS_PROFILE
is not configured when it is configured for SSO:Describe the solution you'd like
I'd like Architect transparently to support AWS SSO:
Describe alternatives you've considered
The work-around I'm currently using is to set up a shell alias (thanks to @monken) that lets me convert my AWS SSO session into legacy credentials (
AWS_ACCESS_KEY_ID
/AWS_SECRET_ACCESS_KEY
). I've added this to my .zshrc:…and then I can use Architect like this:
This is workable, but significantly more cumbersome to scale to a team, and it leaves the shell environment "polluted" with the temporary SSO-generated credentials that I need to remember to remove or replace when I'm done working with this profile.
Additional context or notes
Actual screenshot of this affecting me:
The text was updated successfully, but these errors were encountered: