aws-config/aws.sdk.kotlin.runtime.auth.credentials/SsoCredentialsProvider

SsoCredentialsProvider

class SsoCredentialsProvider(val accountId: String, val roleName: String, val startUrl: String, val ssoRegion: String, val ssoSessionName: String? = null, val httpClient: HttpClientEngine? = null, val platformProvider: PlatformProvider = PlatformProvider.System, clock: Clock = Clock.System) : CredentialsProvider

CredentialsProvider that uses AWS Single Sign-On (AWS SSO) to source credentials. The provider is expected to be configured for the AWS Region where the AWS SSO user portal is hosted.

The provider does not initiate or perform the AWS SSO login flow. It is expected that you have already performed the SSO login flow using (e.g. using the AWS CLI aws sso login). The provider expects a valid non-expired access token for the AWS SSO user portal URL in ~/.aws/sso/cache. If a cached token is not found, it is expired, or the file is malformed an exception will be thrown.

Instantiating AWS SSO provider directly

You can programmatically construct the AWS SSO provider in your application, and provide the necessary information to load and retrieve temporary credentials using an access token from ~/.aws/sso/cache.

val source = SsoCredentialsProvider(
    accountId = "123456789",
    roleName = "SsoReadOnlyRole",
    startUrl = "https://my-sso-portal.awsapps.com/start",
    ssoRegion = "us-east-2"
)

// Wrap the provider with a caching provider to cache the credentials until their expiration time
val ssoProvider = CachedCredentialsProvider(source)
Content copied to clipboard

It is important that you wrap the provider with CachedCredentialsProvider if you are programmatically constructing the provider directly. This prevents your application from accessing the cached access token and requesting new credentials each time the provider is used to source credentials.

Additional Resources

Parameters

accountId

The AWS account ID that temporary AWS credentials will be resolved for

roleName

The IAM role in the AWS account that temporary AWS credentials will be resolved for

startUrl

The start URL (also known as the "User Portal URL") provided by the SSO service

ssoRegion

The AWS region where the SSO directory for the given startUrl is hosted.

ssoSessionName

The SSO Session name from the profile. If a session name is given an SsoTokenProvider will be used to fetch tokens.

httpClient

The HttpClientEngine instance to use to make requests. NOTE: This engine's resources and lifetime are NOT managed by the provider. Caller is responsible for closing.

platformProvider

The platform provider

clock

The source of time for the provider

Constructors

Link copied to clipboard
constructor(accountId: String, roleName: String, startUrl: String, ssoRegion: String, ssoSessionName: String? = null, httpClient: HttpClientEngine? = null, platformProvider: PlatformProvider = PlatformProvider.System, clock: Clock = Clock.System)

Properties

Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val ssoSessionName: String? = null
Link copied to clipboard

Functions

Link copied to clipboard
open suspend override fun resolve(attributes: Attributes): Credentials