Class: Aws::SSOCredentials

Inherits:

Object

• Object
• Aws::SSOCredentials

Includes:

CredentialProvider, RefreshingCredentials

Defined in:

lib/aws-sdk-core/sso_credentials.rb

Overview

An auto-refreshing credential provider that assumes a role via Aws::SSO::Client#get_role_credentials using a cached access token. When ‘sso_session` is specified, token refresh logic from SSOTokenProvider will be used to refresh the token if possible. This class does NOT implement the SSO login token flow - tokens must generated separately by running `aws login` from the AWS CLI with the correct profile. The `SSOCredentials` will auto-refresh the AWS credentials from SSO.

# You must first run aws sso login --profile your-sso-profile
sso_credentials = Aws::SSOCredentials.new(
  sso_account_id: '123456789',
  sso_role_name: "role_name",
  sso_region: "us-east-1",
  sso_session: 'my_sso_session'
)
ec2 = Aws::EC2::Client.new(credentials: sso_credentials)

If you omit ‘:client` option, a new Aws::SSO::Client object will be constructed with additional options that were provided.

See Also:

• Aws::SSO::Client#get_role_credentials
• https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html

Constant Summary

LEGACY_REQUIRED_OPTS =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

[:sso_start_url, :sso_account_id, :sso_region, :sso_role_name].freeze

TOKEN_PROVIDER_REQUIRED_OPTS =

[:sso_session, :sso_account_id, :sso_region, :sso_role_name].freeze

SSO_LOGIN_GUIDANCE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

'The SSO session associated with this profile has '\
'expired or is otherwise invalid. To refresh this SSO session run '\
'aws sso login with the corresponding profile.'.freeze

Constants included from RefreshingCredentials

RefreshingCredentials::ASYNC_EXPIRATION_LENGTH, RefreshingCredentials::CLIENT_EXCLUDE_OPTIONS, RefreshingCredentials::SYNC_EXPIRATION_LENGTH

Instance Attribute Summary

• #client ⇒ SSO::Client readonly

Attributes included from CredentialProvider

#credentials, #expiration

Instance Method Summary

• #initialize(options = {}) ⇒ SSOCredentials constructor

  A new instance of SSOCredentials.

Methods included from RefreshingCredentials

#credentials, #refresh!

Methods included from CredentialProvider

#set?

Constructor Details

#initialize(options = {}) ⇒ SSOCredentials

Returns a new instance of SSOCredentials.

Parameters:

• options (Hash) (defaults to: {}) —

  a customizable set of options

Options Hash (options):

• :sso_account_id (required, String) —

  The AWS account ID that temporary AWS credentials will be resolved for

• :sso_role_name (required, String) —

  The corresponding IAM role in the AWS account that temporary AWS credentials will be resolved for.

• :sso_region (required, String) —

  The AWS region where the SSO directory for the given sso_start_url is hosted.

• :sso_session (String) —

  The SSO Token used for fetching the token. If provided, refresh logic from the Aws::SSOTokenProvider will be used.

• :sso_start_url (String) — default: legacy profiles —

  If provided, legacy token fetch behavior will be used, which does not support token refreshing. The start URL is provided by the SSO service via the console and is the URL used to login to the SSO directory. This is also sometimes referred to as the “User Portal URL”.

• :client (SSO::Client) —

  Optional ‘SSO::Client`. If not provided, a client will be constructed.

• before_refresh (Callable) —

  Proc called before credentials are refreshed. ‘before_refresh` is called with an instance of this object when AWS credentials are required and need to be refreshed.

# File 'lib/aws-sdk-core/sso_credentials.rb', line 69

def initialize(options = {})
  options = options.select {|k, v| !v.nil? }
  if (options[:sso_session])
    missing_keys = TOKEN_PROVIDER_REQUIRED_OPTS.select { |k| options[k].nil? }
    unless missing_keys.empty?
      raise ArgumentError, "Missing required keys: #{missing_keys}"
    end
    @legacy = false
    @sso_role_name = options.delete(:sso_role_name)
    @sso_account_id = options.delete(:sso_account_id)

    # if client has been passed, don't pass through to SSOTokenProvider
    @client = options.delete(:client)
    options.delete(:sso_start_url)
    @token_provider = Aws::SSOTokenProvider.new(options.dup)
    @sso_session = options.delete(:sso_session)
    @sso_region = options.delete(:sso_region)

    unless @client
      client_opts = {}
      options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
      client_opts[:region] = @sso_region
      client_opts[:credentials] = nil
      @client = Aws::SSO::Client.new(client_opts)
    end
  else # legacy behavior
    missing_keys = LEGACY_REQUIRED_OPTS.select { |k| options[k].nil? }
    unless missing_keys.empty?
      raise ArgumentError, "Missing required keys: #{missing_keys}"
    end
    @legacy = true
    @sso_start_url = options.delete(:sso_start_url)
    @sso_region = options.delete(:sso_region)
    @sso_role_name = options.delete(:sso_role_name)
    @sso_account_id = options.delete(:sso_account_id)

    # validate we can read the token file
    read_cached_token

    client_opts = {}
    options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
    client_opts[:region] = @sso_region
    client_opts[:credentials] = nil

    @client = options[:client] || Aws::SSO::Client.new(client_opts)
  end

  @async_refresh = true
  super
end

Instance Attribute Details

#client ⇒ SSO::Client (readonly)

Returns:

• (SSO::Client)

# File 'lib/aws-sdk-core/sso_credentials.rb', line 121

def client
  @client
end