Enable Credential Chaining to Automatically Load SSO Profiles from INI config

[exussum12]

Describe the feature

I am hoping to follow this workflow

aws configure sso or aws sso login --profile=something

Commands on the AWS CLI work, I am hoping to be able to use the same profile (something in the case above) to be able to reuse in php scripts

Use Case

Removing long lived keys for local development

Proposed Solution

The sso logs to a few files (~/.aws/sso/cache)

These should be scanned when looking for a profile being passed current behaviour is
PHP Fatal error: Uncaught Aws\Exception\CredentialsException: 'something' not found in credentials file in /tmp/aws/vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php:826

Other Information

This should ideally work for rules assumed via other accounts. That has a seperate storage (.aws/cli/cache)

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

SDK version used

Latest

Environment details (Version of PHP (php -v)? OS name and version, etc.)

php 8.2

[exussum12]

So this does work as follows

'credentials' =>  CredentialProvider::sso('something'),

In a construct, not sure if the profile should pick it up? That is how the CLI works

Digging into this some more, if a profile is passed the ini loader is called, which does not support SSO. Any objections to moving that to a chain? First a standard profile and fall back to a SSO profile

[RanVaknin]

Hi @exussum12 ,

Sorry for the long wait. We have discussed this as a team but are confused about the ask here.
Can you please provide a minimal snippet (imports, client instantiation and config) that highlights what you are trying to do?

Thanks,
Ran

[exussum12]

Hi

Assuming you have SSO set up called prod_sso.

<?php
require_once './vendor/autoload.php';


use Aws\DynamoDb\DynamoDbClient;

$dynamoDbClient = DynamoDbClient::factory(array(
    'profile' => 'prod_sso',
    'region'  => 'eu-west-1',
));
var_dump($dynamoDbClient->listTables());

PHP Fatal error: Uncaught Aws\Exception\CredentialsException: 'prod_sso' not found in credentials file in /tmp/aws/vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php:846

The CLI works

aws --profile=prod_sso dynamodb list-tables

for full clarity

[profile prod_sso]
sso_start_url = https://theUrl/start
sso_region = eu-west-1
sso_account_id = 99999999
sso_role_name = RoleIWishToAssume
region = eu-west-1
output = json

set up from aws configure sso

[RanVaknin]

Hi @exussum12 thanks for the clarification. I updated the title to better reflect the request.

Thanks,
Ran~