AWS_PROFILE referencing an SSO profile fails to work with AWS Go SDK

[dylburger]

Ben, I very much appreciate the time you put into this library. We're big users of AWS SSO, and the lack of SDK support has been an issue in many contexts.

I had a small issue that I'm having trouble hunting down. This seems like an issue with the AWS Go SDK but I wanted to confirm here first.

Your example from the README works great:

aws sso login --profile my-sso-profile
python -c "import boto3; print(boto3.Session(profile_name='my-sso-profile').client('sts').get_caller_identity())"

It also works if I swap the boto Session code for an AWS_PROFILE:

AWS_PROFILE=my-sso-profile python -c "import boto3; print(boto3.client('sts').get_caller_identity())"

However, the use of AWS_PROFILE for an SSO named profile fails to work with an equivalent hello, world script that uses the Go SDK.

The script:

package main

import (
	"fmt"

	"github.com/aws/aws-sdk-go/aws/awserr"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/sts"
)

func main() {
	svc := sts.New(session.New())
	input := &sts.GetCallerIdentityInput{}

	result, err := svc.GetCallerIdentity(input)
	if err != nil {
		if aerr, ok := err.(awserr.Error); ok {
			switch aerr.Code() {
			default:
				fmt.Println(aerr.Error())
			}
		} else {
			// Print the error, cast err to awserr.Error to get the Code and
			// Message from an error.
			fmt.Println(err.Error())
		}
		return
	}

	fmt.Println(result)
}

works using my default profile:

go run test.go

and using a standard, non-SSO profile tied to access / secret keys:

AWS_PROFILE=iam_profile go run test.go

but fails to work with the same SSO profile that worked with the Python example above (using credentials_process as described by this lib)

AWS_PROFILE=my-sso-profile go run test.go
NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors

It seems the Go SDK has support for credentials_process, but I'm also seeing an issue tied to this same error in the Go SDK repo.

It seems very likely this is an issue with the Go SDK, but I wanted to see whether you had any workarounds or suggestions based on your experience with SSO.

Thanks!

[benkehoe]

Interesting. What happens if you do this? (choose your own path)
aws-sso-credential-process --profile my-sso-profile > /path/to/creds.json

And then add this to .aws/config:

[profile test]
credential_process = "cat /path/tocreds.json"

and then

AWS_PROFILE=test go run test.go

[benkehoe]

Ok, first thing, it looks like you need to have AWS_SDK_LOAD_CONFIG=1, because otherwise the Go SDK doesn't check .aws/config: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html

Even with that, it appears that the format botocore is generating for the expiration timestamp isn't valid ISO8601 and that's causing a parsing error. I updated the code to change the output to make it valid, and published a new version.

[dylburger]

AWS_PROFILE=my-sso-profile AWS_SDK_LOAD_CONFIG=1 go run test.go works great on v0.2.5! You're awesome, Ben.