Skip to content

Commit f5e4973

Browse files
peterrsonggpeterrsongg
committed
Allow source_profile and sso_session to be used together
1 parent a8d62ff commit f5e4973

File tree

2 files changed

+89
-70
lines changed

2 files changed

+89
-70
lines changed

generator/.DevConfigs/b24980c4-b6f6-4181-9789-fda85df054a3.json

+9
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
{
2+
"core": {
3+
"changeLogMessages": [
4+
"[Breaking Change] Allow source_profile to be used in conjunction with sso_session. If the profile specified via source_profile has sso_session, credentials will be retrieved from sso. The sso credentials will then be used to assume the role specified in the original profile. Previous behavior was that it assumed the role specified in source_profile, which is incorrect."
5+
],
6+
"type": "patch",
7+
"updateMinimum": true
8+
}
9+
}

sdk/src/Core/Amazon.Runtime/CredentialManagement/Internal/CredentialProfileTypeDetector.cs

+80-70
Original file line numberDiff line numberDiff line change
@@ -88,20 +88,73 @@ public static class CredentialProfileTypeDetector
8888
private static Dictionary<CredentialProfileType, List<HashSet<string>>> TypePropertyDictionary =
8989
new Dictionary<CredentialProfileType, List<HashSet<string>>>()
9090
{
91-
{
92-
CredentialProfileType.CredentialProcess, new List<HashSet<string>>()
93-
{
94-
new HashSet<string> { CredentialProcess } ,
95-
new HashSet<string> { CredentialProcess, AwsAccountId }
96-
}
91+
{ CredentialProfileType.Basic, new List<HashSet<string>>()
92+
{
93+
new HashSet<string> { AccessKey, SecretKey },
94+
new HashSet<string> { AccessKey, SecretKey, AwsAccountId },
95+
}
9796
},
98-
99-
{
100-
CredentialProfileType.AssumeRole, new List<HashSet<string>>()
97+
{
98+
CredentialProfileType.Session, new List<HashSet<string>>()
99+
{
100+
new HashSet<string> { AccessKey, SecretKey, Token },
101+
new HashSet<string> { AccessKey, SecretKey, Token, AwsAccountId },
102+
}
103+
},
104+
{
105+
CredentialProfileType.AssumeRole, new List<HashSet<string>>()
101106
{
102107
new HashSet<string> { RoleArn, SourceProfile },
103108
new HashSet<string> { RoleArn, SourceProfile, AwsAccountId },
104-
}
109+
}
110+
},
111+
{
112+
CredentialProfileType.AssumeRoleMFA, new List<HashSet<string>>()
113+
{
114+
new HashSet<string> { MfaSerial, RoleArn, SourceProfile },
115+
new HashSet<string> { MfaSerial, RoleArn, SourceProfile, AwsAccountId },
116+
}
117+
},
118+
{
119+
CredentialProfileType.AssumeRoleMFASessionName, new List<HashSet<string>>()
120+
{
121+
new HashSet<string> { MfaSerial, RoleArn, SourceProfile, RoleSessionName },
122+
new HashSet<string> { MfaSerial, RoleArn, SourceProfile, RoleSessionName, AwsAccountId },
123+
}
124+
},
125+
{
126+
CredentialProfileType.AssumeRoleExternalMFA, new List<HashSet<string>>()
127+
{
128+
new HashSet<string> { ExternalID, RoleArn, SourceProfile, MfaSerial }
129+
}
130+
},
131+
{
132+
CredentialProfileType.AssumeRoleExternal, new List<HashSet<string>>()
133+
{
134+
new HashSet<string> { ExternalID, RoleArn, SourceProfile },
135+
new HashSet<string> { ExternalID, RoleArn, SourceProfile, AwsAccountId },
136+
}
137+
},
138+
{
139+
CredentialProfileType.AssumeRoleSessionName, new List<HashSet<string>>()
140+
{
141+
new HashSet<string> { RoleArn, SourceProfile, RoleSessionName },
142+
new HashSet<string> { RoleArn, SourceProfile, RoleSessionName, AwsAccountId },
143+
}
144+
},
145+
{
146+
CredentialProfileType.AssumeRoleExternalSessionName, new List<HashSet<string>>()
147+
{
148+
new HashSet<string> { ExternalID, RoleArn, SourceProfile, RoleSessionName },
149+
new HashSet<string> { ExternalID, RoleArn, SourceProfile, RoleSessionName, AwsAccountId },
150+
}
151+
},
152+
{
153+
CredentialProfileType.AssumeRoleExternalMFASessionName, new List<HashSet<string>>()
154+
{
155+
new HashSet<string> { ExternalID, MfaSerial, RoleArn, SourceProfile, RoleSessionName },
156+
new HashSet<string> { ExternalID, MfaSerial, RoleArn, SourceProfile, RoleSessionName, AwsAccountId },
157+
}
105158
},
106159
{
107160
CredentialProfileType.AssumeRoleCredentialSource, new List<HashSet<string>>()
@@ -111,13 +164,12 @@ public static class CredentialProfileTypeDetector
111164
}
112165
},
113166
{
114-
CredentialProfileType.AssumeRoleExternal, new List<HashSet<string>>()
115-
{
116-
new HashSet<string> { ExternalID, RoleArn, SourceProfile },
117-
new HashSet<string> { ExternalID, RoleArn, SourceProfile, AwsAccountId },
118-
}
167+
CredentialProfileType.AssumeRoleCredentialSourceSessionName, new List<HashSet<string>>()
168+
{
169+
new HashSet<string> { RoleArn, CredentialSource, RoleSessionName },
170+
new HashSet<string> { RoleArn, CredentialSource, RoleSessionName, AwsAccountId},
171+
}
119172
},
120-
{ CredentialProfileType.AssumeRoleExternalMFA, new List<HashSet<string>>() { new HashSet<string> { ExternalID, RoleArn, SourceProfile, MfaSerial } } },
121173
{
122174
CredentialProfileType.AssumeRoleWithWebIdentity, new List<HashSet<string>>()
123175
{
@@ -133,70 +185,33 @@ public static class CredentialProfileTypeDetector
133185
new HashSet<string> { RoleArn, WebIdentityTokenFile, RoleSessionName, AwsAccountId } ,
134186
}
135187
},
136-
{
137-
CredentialProfileType.AssumeRoleMFA, new List<HashSet<string>>()
138-
{
139-
new HashSet<string> { MfaSerial, RoleArn, SourceProfile },
140-
new HashSet<string> { MfaSerial, RoleArn, SourceProfile, AwsAccountId },
141-
}
142-
},
143-
{ CredentialProfileType.Basic, new List<HashSet<string>>()
144-
{
145-
new HashSet<string> { AccessKey, SecretKey },
146-
new HashSet<string> { AccessKey, SecretKey, AwsAccountId },
147-
}
148-
},
149188
{
150189
CredentialProfileType.SAMLRole, new List<HashSet<string>>()
151190
{
152191
new HashSet<string> { EndpointName, RoleArn },
153192
new HashSet<string> { EndpointName, RoleArn, AwsAccountId },
154193
}
155194
},
156-
{ CredentialProfileType.SAMLRoleUserIdentity, new List<HashSet<string>>() { new HashSet<string> { EndpointName, RoleArn, UserIdentity } } },
157195
{
158-
CredentialProfileType.Session, new List<HashSet<string>>()
196+
CredentialProfileType.SAMLRoleUserIdentity, new List<HashSet<string>>()
159197
{
160-
new HashSet<string> { AccessKey, SecretKey, Token },
161-
new HashSet<string> { AccessKey, SecretKey, Token, AwsAccountId },
198+
new HashSet<string> { EndpointName, RoleArn, UserIdentity }
162199
}
163200
},
164201
{
165-
CredentialProfileType.AssumeRoleSessionName, new List<HashSet<string>>()
166-
{
167-
new HashSet<string> { RoleArn, SourceProfile, RoleSessionName },
168-
new HashSet<string> { RoleArn, SourceProfile, RoleSessionName, AwsAccountId },
169-
}
170-
},
171-
{
172-
CredentialProfileType.AssumeRoleCredentialSourceSessionName, new List<HashSet<string>>()
202+
CredentialProfileType.SSO, new List<HashSet<string>>()
173203
{
174-
new HashSet<string> { RoleArn, CredentialSource, RoleSessionName },
175-
new HashSet<string> { RoleArn, CredentialSource, RoleSessionName, AwsAccountId},
176-
}
177-
},
178-
{
179-
CredentialProfileType.AssumeRoleExternalSessionName, new List<HashSet<string>>()
180-
{
181-
new HashSet<string> { ExternalID, RoleArn, SourceProfile, RoleSessionName },
182-
new HashSet<string> { ExternalID, RoleArn, SourceProfile, RoleSessionName, AwsAccountId },
183-
}
184-
},
185-
{
186-
CredentialProfileType.AssumeRoleExternalMFASessionName, new List<HashSet<string>>()
187-
{
188-
new HashSet<string> { ExternalID, MfaSerial, RoleArn, SourceProfile, RoleSessionName },
189-
new HashSet<string> { ExternalID, MfaSerial, RoleArn, SourceProfile, RoleSessionName, AwsAccountId },
204+
new HashSet<string> { SsoAccountId, SsoRegion, SsoRegistrationScopes, SsoRoleName, SsoStartUrl, SsoSession }
190205
}
191206
},
192-
{ CredentialProfileType.SSO, new List<HashSet<string>>() { new HashSet<string> { SsoAccountId, SsoRegion, SsoRegistrationScopes, SsoRoleName, SsoStartUrl, SsoSession } } },
193-
{
194-
CredentialProfileType.AssumeRoleMFASessionName, new List<HashSet<string>>()
195-
{
196-
new HashSet<string> { MfaSerial, RoleArn, SourceProfile, RoleSessionName },
197-
new HashSet<string> { MfaSerial, RoleArn, SourceProfile, RoleSessionName, AwsAccountId },
198-
}
207+
{
208+
CredentialProfileType.CredentialProcess, new List<HashSet<string>>()
209+
{
210+
new HashSet<string> { CredentialProcess } ,
211+
new HashSet<string> { CredentialProcess, AwsAccountId }
212+
}
199213
},
214+
200215
};
201216

202217
private static Dictionary<CredentialProfileType, string> CredentialTypeDictionary =
@@ -238,18 +253,13 @@ public static string GetUserFriendlyCredentialType(CredentialProfileType? profil
238253

239254
HashSet<string> propertyNames = GetPropertyNames(profileOptions);
240255

241-
// Spec: If one or more of the SSO properties is present, the profile MUST be resolved by the SSO credential provider.
242-
if (propertyNames.Any(propertyName => SsoProperties.Contains(propertyName)))
243-
{
244-
return CredentialProfileType.SSO;
245-
}
246256

247257
// brute force algorithm - but it's a very small set
248258
foreach (var pair in TypePropertyDictionary)
249259
{
250260
foreach (var item in pair.Value)
251261
{
252-
if (item.SetEquals(propertyNames))
262+
if (item.IsSubsetOf(propertyNames))
253263
{
254264
profileType = pair.Key;
255265
}

0 commit comments

Comments
 (0)