Class: Aws::SSOCredentials

Inherits:
Object
  • Object
show all
Includes:
CredentialProvider, RefreshingCredentials
Defined in:
lib/aws-sdk-core/sso_credentials.rb

Overview

An auto-refreshing credential provider that works by assuming a role via Aws::SSO::Client#get_role_credentials using a cached access token. This class does NOT implement the SSO login token flow - tokens must generated and refreshed separately by running `aws login` from the AWS CLI with the correct profile.

For more background on AWS SSO see the official what is SSO Userguide

## Refreshing Credentials from SSO

The `SSOCredentials` will auto-refresh the AWS credentials from SSO. In addition to AWS credentials expiring after a given amount of time, the access token generated and cached from `aws login` will also expire. Once this token expires, it will not be usable to refresh AWS credentials, and another token will be needed. The SDK does not manage refreshing of the token value, but this can be done by running `aws login` with the correct profile.

# You must first run aws sso login --profile your-sso-profile
sso_credentials = Aws::SSOCredentials.new(
  sso_account_id: '123456789',
  sso_role_name: "role_name",
  sso_region: "us-east-1",
  sso_start_url: 'https://your-start-url.awsapps.com/start'
)

ec2 = Aws::EC2::Client.new(credentials: sso_credentials)

If you omit `:client` option, a new Aws::SSO::Client object will be constructed.

Constant Summary collapse

SSO_REQUIRED_OPTS =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

[:sso_account_id, :sso_region, :sso_role_name, :sso_start_url].freeze
SSO_LOGIN_GUIDANCE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

'The SSO session associated with this profile has '\
'expired or is otherwise invalid. To refresh this SSO session run '\
'aws sso login with the corresponding profile.'.freeze

Instance Attribute Summary collapse

Attributes included from CredentialProvider

#credentials

Instance Method Summary collapse

Methods included from RefreshingCredentials

#credentials, #expiration, #refresh!

Methods included from CredentialProvider

#set?

Constructor Details

#initialize(options = {}) ⇒ SSOCredentials

Returns a new instance of SSOCredentials.

Parameters:

  • options (Hash) (defaults to: {})

    a customizable set of options

Options Hash (options):

  • :sso_account_id (required, String)

    The AWS account ID that temporary AWS credentials will be resolved for

  • :sso_region (required, String)

    The AWS region where the SSO directory for the given sso_start_url is hosted.

  • :sso_role_name (required, String)

    The corresponding IAM role in the AWS account that temporary AWS credentials will be resolved for.

  • :sso_start_url (required, String)

    The start URL is provided by the SSO service via the console and is the URL used to login to the SSO directory. This is also sometimes referred to as the “User Portal URL”

  • :client (SSO::Client)

    Optional `SSO::Client`. If not provided, a client will be constructed.


66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# File 'lib/aws-sdk-core/sso_credentials.rb', line 66

def initialize(options = {})

  missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
  unless missing_keys.empty?
    raise ArgumentError, "Missing required keys: #{missing_keys}"
  end

  @sso_start_url = options.delete(:sso_start_url)
  @sso_region = options.delete(:sso_region)
  @sso_role_name = options.delete(:sso_role_name)
  @sso_account_id = options.delete(:sso_account_id)

  # validate we can read the token file
  read_cached_token

  options[:region] = @sso_region
  options[:credentials] = nil
  @client = options[:client] || Aws::SSO::Client.new(options)
  super
end

Instance Attribute Details

#clientSSO::Client (readonly)

Returns:


88
89
90
# File 'lib/aws-sdk-core/sso_credentials.rb', line 88

def client
  @client
end