1

I have a Go program which uses shared SSO authentication. The program itself works fine, but I need to start a nested program from it (docker), and this program needs the AWS credentials from the main program.

I use AWS SDK v2.

How can I export my current credentials as environment variables?

I understand that I can use assumeRole, like this:

 credentials, err := ssoClient.GetRoleCredentials(context.TODO(), &sso.GetRoleCredentialsInput{ AccountId: aws.String(accountID), RoleName: aws.String(roleName), })

but that would be wrong, because I have no role to assume; I just want to use my current user.

Another possible solution could be parsing ~/.aws/cli/cache/*.json manually, but this solutions looks too low level and hacky (but probably it is the only one, at least I didn't manage to find anything better).

Improve this question
4
  • 1
    This change which brought in support for the SSO to SDK v2, says: «The provider must find a valid non-expired access token for the AWS SSO user portal URL in ~/.aws/sso/cache.» Looking at this, I see that the token obtained from the SSO cache gets decoded into plain aws.Credentials, so seems like you can just export them as is. Commented Feb 22, 2022 at 17:03
  • @kostix: Yes, I saw this code, but looks somehow strange to me. The problem is, that in order to get the credentials this way, you need a lot of things that you actually don't have (role etc). It is not possible to pass nil into this function, though internally it can handle nil values properly. There should be some better way, I think... Commented Feb 22, 2022 at 18:21
  • Problem is, those sso creds are only good for a limited time. What sdk is in the docker? Can't you just share ~/.aws and expose AWS env vars for PROFILE and REGION, if set? Commented Feb 23, 2022 at 4:22
  • @DanielFarrell: Yes, it is fine, that they are limited; my docker builds need much less time. Anyway, I found a solution and it was much more simple than I thought. I will post it Commented Feb 23, 2022 at 7:04

1 Answer 1

Reset to default
2

I found a solution, and it is much simpler than I expected.

One can take credentials directly in the config struct:

 cfg, err := awsconfig.LoadDefaultConfig( context.TODO(), awsconfig.WithSharedConfigProfile(profile)) if err != nil { log.Fatalln(err) } cred, err := cfg.Credentials.Retrieve(context.TODO()) if err != nil { log.Fatalln(err) } fmt.Printf("export AWS_ACCESS_KEY_ID=\"%s\"\n", cred.AccessKeyID) fmt.Printf("export AWS_SECRET_ACCESS_KEY=\"%s\"\n", cred.SecretAccessKey) fmt.Printf("export AWS_SESSION_TOKEN=\"%s\"\n", cred.SessionToken)
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.