Skip to content

Commit 2999ddc

Browse files
peterrsonggpeterrsongg
committed
Allow source_profile and sso properties to be used together. Assume Role will take precedence over SSO
1 parent 24a6783 commit 2999ddc

File tree

3 files changed

+44
-8
lines changed

3 files changed

+44
-8
lines changed

generator/.DevConfigs/b24980c4-b6f6-4181-9789-fda85df054a3.json

+9
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
{
2+
"core": {
3+
"changeLogMessages": [
4+
"[Breaking Change] Allow source_profile to be used in conjunction with sso_session. If the profile specified via source_profile has sso_session, and the sso_session section is correctly configured, credentials will be retrieved from sso. The sso credentials will then be used to assume the role specified in the original profile. Previous behavior was that it assumed the role specified in source_profile, which does not follow the assume role profile chaining pattern."
5+
],
6+
"type": "patch",
7+
"updateMinimum": true
8+
}
9+
}

sdk/src/Core/Amazon.Runtime/CredentialManagement/Internal/CredentialProfileTypeDetector.cs

+34-7
Original file line numberDiff line numberDiff line change
@@ -101,43 +101,62 @@ public static class CredentialProfileTypeDetector
101101
{
102102
new HashSet<string> { RoleArn, SourceProfile },
103103
new HashSet<string> { RoleArn, SourceProfile, AwsAccountId },
104+
new HashSet<string> { RoleArn, SourceProfile, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
105+
new HashSet<string> { RoleArn, SourceProfile, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
104106
}
105107
},
106108
{
107109
CredentialProfileType.AssumeRoleCredentialSource, new List<HashSet<string>>()
108110
{
109111
new HashSet<string> { RoleArn, CredentialSource },
110-
new HashSet<string> { RoleArn, CredentialSource, AwsAccountId }
112+
new HashSet<string> { RoleArn, CredentialSource, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
113+
new HashSet<string> { RoleArn, CredentialSource, AwsAccountId },
114+
new HashSet<string> { RoleArn, CredentialSource, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl }
111115
}
112116
},
113117
{
114118
CredentialProfileType.AssumeRoleExternal, new List<HashSet<string>>()
115119
{
116120
new HashSet<string> { ExternalID, RoleArn, SourceProfile },
121+
new HashSet<string> { ExternalID, RoleArn, SourceProfile, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
117122
new HashSet<string> { ExternalID, RoleArn, SourceProfile, AwsAccountId },
123+
new HashSet<string> { ExternalID, RoleArn, SourceProfile, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl}
124+
}
125+
},
126+
{
127+
CredentialProfileType.AssumeRoleExternalMFA, new List<HashSet<string>>()
128+
{
129+
new HashSet<string> { ExternalID, RoleArn, SourceProfile, MfaSerial },
130+
new HashSet<string> { ExternalID, RoleArn, SourceProfile, MfaSerial, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl }
118131
}
119132
},
120-
{ CredentialProfileType.AssumeRoleExternalMFA, new List<HashSet<string>>() { new HashSet<string> { ExternalID, RoleArn, SourceProfile, MfaSerial } } },
121133
{
122134
CredentialProfileType.AssumeRoleWithWebIdentity, new List<HashSet<string>>()
123135
{
124136
new HashSet<string> { RoleArn, WebIdentityTokenFile },
137+
new HashSet<string> { RoleArn, WebIdentityTokenFile, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
125138
new HashSet<string> { RoleArn, WebIdentityTokenFile, CredentialSource },
139+
new HashSet<string> { RoleArn, WebIdentityTokenFile, CredentialSource, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
126140
new HashSet<string> { RoleArn, WebIdentityTokenFile, CredentialSource, AwsAccountId },
141+
new HashSet<string> { RoleArn, WebIdentityTokenFile, CredentialSource, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
127142
}
128143
},
129144
{
130145
CredentialProfileType.AssumeRoleWithWebIdentitySessionName, new List<HashSet<string>>()
131146
{
132147
new HashSet<string> { RoleArn, WebIdentityTokenFile, RoleSessionName },
133-
new HashSet<string> { RoleArn, WebIdentityTokenFile, RoleSessionName, AwsAccountId } ,
148+
new HashSet<string> { RoleArn, WebIdentityTokenFile, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
149+
new HashSet<string> { RoleArn, WebIdentityTokenFile, RoleSessionName, AwsAccountId },
150+
new HashSet<string> { RoleArn, WebIdentityTokenFile, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl } ,
134151
}
135152
},
136153
{
137154
CredentialProfileType.AssumeRoleMFA, new List<HashSet<string>>()
138155
{
139156
new HashSet<string> { MfaSerial, RoleArn, SourceProfile },
157+
new HashSet<string> { MfaSerial, RoleArn, SourceProfile, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
140158
new HashSet<string> { MfaSerial, RoleArn, SourceProfile, AwsAccountId },
159+
new HashSet<string> { MfaSerial, RoleArn, SourceProfile, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
141160
}
142161
},
143162
{ CredentialProfileType.Basic, new List<HashSet<string>>()
@@ -165,36 +184,46 @@ public static class CredentialProfileTypeDetector
165184
CredentialProfileType.AssumeRoleSessionName, new List<HashSet<string>>()
166185
{
167186
new HashSet<string> { RoleArn, SourceProfile, RoleSessionName },
187+
new HashSet<string> { RoleArn, SourceProfile, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl},
168188
new HashSet<string> { RoleArn, SourceProfile, RoleSessionName, AwsAccountId },
189+
new HashSet<string> { RoleArn, SourceProfile, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
169190
}
170191
},
171192
{
172193
CredentialProfileType.AssumeRoleCredentialSourceSessionName, new List<HashSet<string>>()
173194
{
174195
new HashSet<string> { RoleArn, CredentialSource, RoleSessionName },
196+
new HashSet<string> { RoleArn, CredentialSource, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
175197
new HashSet<string> { RoleArn, CredentialSource, RoleSessionName, AwsAccountId},
198+
new HashSet<string> { RoleArn, CredentialSource, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
176199
}
177200
},
178201
{
179202
CredentialProfileType.AssumeRoleExternalSessionName, new List<HashSet<string>>()
180203
{
181204
new HashSet<string> { ExternalID, RoleArn, SourceProfile, RoleSessionName },
205+
new HashSet<string> { ExternalID, RoleArn, SourceProfile, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
182206
new HashSet<string> { ExternalID, RoleArn, SourceProfile, RoleSessionName, AwsAccountId },
207+
new HashSet<string> { ExternalID, RoleArn, SourceProfile, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
183208
}
184209
},
185210
{
186211
CredentialProfileType.AssumeRoleExternalMFASessionName, new List<HashSet<string>>()
187212
{
188213
new HashSet<string> { ExternalID, MfaSerial, RoleArn, SourceProfile, RoleSessionName },
214+
new HashSet<string> { ExternalID, MfaSerial, RoleArn, SourceProfile, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
189215
new HashSet<string> { ExternalID, MfaSerial, RoleArn, SourceProfile, RoleSessionName, AwsAccountId },
216+
new HashSet<string> { ExternalID, MfaSerial, RoleArn, SourceProfile, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
190217
}
191218
},
192219
{ CredentialProfileType.SSO, new List<HashSet<string>>() { new HashSet<string> { SsoAccountId, SsoRegion, SsoRegistrationScopes, SsoRoleName, SsoStartUrl, SsoSession } } },
193220
{
194221
CredentialProfileType.AssumeRoleMFASessionName, new List<HashSet<string>>()
195222
{
196223
new HashSet<string> { MfaSerial, RoleArn, SourceProfile, RoleSessionName },
224+
new HashSet<string> { MfaSerial, RoleArn, SourceProfile, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
197225
new HashSet<string> { MfaSerial, RoleArn, SourceProfile, RoleSessionName, AwsAccountId },
226+
new HashSet<string> { MfaSerial, RoleArn, SourceProfile, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl }
198227
}
199228
},
200229
};
@@ -238,11 +267,9 @@ public static string GetUserFriendlyCredentialType(CredentialProfileType? profil
238267

239268
HashSet<string> propertyNames = GetPropertyNames(profileOptions);
240269

241-
// Spec: If one or more of the SSO properties is present, the profile MUST be resolved by the SSO credential provider.
242-
if (propertyNames.Any(propertyName => SsoProperties.Contains(propertyName)))
243-
{
270+
//SPEC: if sso_account_id or sso_role_name exist credentials MUST be resolved by the sso credential provider.
271+
if (propertyNames.Contains(SsoAccountId) || propertyNames.Contains(SsoRoleName))
244272
return CredentialProfileType.SSO;
245-
}
246273

247274
// brute force algorithm - but it's a very small set
248275
foreach (var pair in TypePropertyDictionary)

sdk/test/UnitTests/Custom/Runtime/Credentials/AWSCredentialsFactoryTest.cs

+1-1
Original file line numberDiff line numberDiff line change
@@ -493,7 +493,7 @@ public void GetSsoCredentialsWithMissingFields()
493493

494494
AssertExtensions.ExpectException(() =>
495495
AWSCredentialsFactory.GetAWSCredentials(SsoProfileMissingFields, ProfileStore),
496-
typeof(ArgumentNullException));
496+
typeof(InvalidDataException));
497497
}
498498

499499
[TestMethod]

0 commit comments

Comments
 (0)