class Aws::SSOCredentials
@see docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html<br>@see Aws::SSO::Client#get_role_credentials
constructed with additional options that were provided.
If you omit ‘:client` option, a new {Aws::SSO::Client} object will be
ec2 = Aws::EC2::Client.new(credentials: sso_credentials)
)
sso_start_url: ’your-start-url.awsapps.com/start’
sso_region: “us-east-1”,
sso_role_name: “role_name”,
sso_account_id: ‘123456789’,
sso_credentials = Aws::SSOCredentials.new(
# You must first run aws sso login –profile your-sso-profile
correct profile.
the token value, but this can be done by running ‘aws login` with the
and another token will be needed. The SDK does not manage refreshing of
Once this token expires, it will not be usable to refresh AWS credentials,
access token generated and cached from `aws login` will also expire.
addition to AWS credentials expiring after a given amount of time, the
The `SSOCredentials` will auto-refresh the AWS credentials from SSO. In
AWS CLI with the correct profile.
must generated and refreshed separately by running `aws login` from the
token. This class does NOT implement the SSO login token flow - tokens
{Aws::SSO::Client#get_role_credentials} using a cached access
An auto-refreshing credential provider that assumes a role via
def initialize(options = {})
(**options)-
before_refresh(Callable) -- Proc called before -
:client(SSO::Client) -- Optional `SSO::Client`. If not -
:sso_start_url(required, String) -- The start URL is -
:sso_role_name(required, String) -- The corresponding -
:sso_region(required, String) -- The AWS region where the -
:sso_account_id(required, String) -- The AWS account ID
def initialize(options = {}) missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? } unless missing_keys.empty? raise ArgumentError, "Missing required keys: #{missing_keys}" end @sso_start_url = options.delete(:sso_start_url) @sso_region = options.delete(:sso_region) @sso_role_name = options.delete(:sso_role_name) @sso_account_id = options.delete(:sso_account_id) # validate we can read the token file read_cached_token client_opts = {} options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) } client_opts[:region] = @sso_region client_opts[:credentials] = nil @client = options[:client] || Aws::SSO::Client.new(client_opts) @async_refresh = true super end
def read_cached_token
def read_cached_token cached_token = Json.load(File.read(sso_cache_file)) # validation unless cached_token['accessToken'] && cached_token['expiresAt'] raise ArgumentError, 'Missing required field(s)' end expires_at = DateTime.parse(cached_token['expiresAt']) if expires_at < DateTime.now raise ArgumentError, 'Cached SSO Token is expired.' end cached_token rescue Errno::ENOENT, Aws::Json::ParseError, ArgumentError raise Errors::InvalidSSOCredentials, SSO_LOGIN_GUIDANCE end
def refresh
def refresh cached_token = read_cached_token c = @client.get_role_credentials( account_id: @sso_account_id, role_name: @sso_role_name, access_token: cached_token['accessToken'] ).role_credentials @credentials = Credentials.new( c.access_key_id, c.secret_access_key, c.session_token ) @expiration = c.expiration end
def sso_cache_file
def sso_cache_file start_url_sha1 = OpenSSL::Digest::SHA1.hexdigest(@sso_start_url.encode('utf-8')) File.join(Dir.home, '.aws', 'sso', 'cache', "#{start_url_sha1}.json") rescue ArgumentError # Dir.home raises ArgumentError when ENV['home'] is not set raise ArgumentError, "Unable to load sso_cache_file: ENV['HOME'] is not set." end