Question 267545 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Can AWS SSO tokens be refreshed (by doing a browser login) automatically?

I have a Ruby application using the AWS SDK Ruby v3, and recent I’ve added support for using SSO profiles instead of static "key ID + secret" configuration.

The new setup works well for a while, until the token "expires" and I start getting Aws::Errors::InvalidSSOToken exceptions, at which point the user needs to manually run the CLI’s aws sso login to get a browser login screen.

I would have liked to skip the manual AWS CLI running step – if the SDK can directly do the aws sso login step (with the correct profile).

I can probably do exec with the correct arguments – but I would like to do it "the SDK way".

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Work In Progress Sample Code

    This is not a complete implementation but a bit of scratch pad for tests that I got to work. There's still a lot more work to get it to a point where it is usable.

    Kudus to @tsal-troser that, at his own answer, pointed at the Python example that was used to create this sample code, and @2ps that wrote that Python code.

    require 'aws-sdk-core'

# the start URL should be read from ~/.aws/configure by looking up 
# the section "[profile <your-profile>]", reading its "sso_session"
# field, then looking for the section "[sso-session <sso_session>]"
# and loading its "sso_start_url" field
my_start_url = 'https://myportalid.awsapps.com/start'

client = Aws::SSOOIDC::Client.new(region:'us-east-1') # can we use other regions?
creds = client.register_client(client_name: 'mytest', client_type: 'public')
auth = client.start_device_authorization(
  client_id: creds.client_id, client_secret: creds.client_secret,
  start_url: my_start_url)

puts "Verification code: #{auth.user_code}"
puts "Open your browser with this url: #{auth.verification_uri_complete}"
puts "When complete, press ENTER here"
STDIN.getch
puts ""

access_token = client.create_token(
  grant_type: 'urn:ietf:params:oauth:grant-type:device_code', 
  device_code:auth.device_code,
  client_id:creds.client_id, client_secret: creds.client_secret)

# use access token to update the role object?

    This is yet incomplete, I hope to get back to it and finish the code next week. 🤞


  2. 0

    Yes, you can. You can add an error handler when you get InvalidSSOToken then do an SSO authentication.

    I’ve never tried the SDK way. I’ve tried the exec cli command aws sso login (because it’s easier). It will create a cache.json file with the token and expiresAt values.

    This is the project I used as a reference: https://github.com/NeilJed/aws-sso-credentials/blob/master/awssso

    Here’s the part you can use as reference for checking if the token is expired. https://github.com/NeilJed/aws-sso-credentials/blob/master/awssso#L110-L137

    Here’s another example of doing it via SDK but in Python:
    https://stackoverflow.com/a/71850591/22277802

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search