Changed the default value of SSOAWSCredentialsOptions.SupportsGettingNewToken as false and improved error messaging if required SSO options are missing while generating new credentials.

[ashishdhingra]

Description

• Changed the default value of SSOAWSCredentialsOptions.SupportsGettingNewToken as false
• Improved error messaging if required SSO options are missing while generating new credentials.

Test Scenarios:

• Using Amazon.Extensions.NETCore.Setup package (customer's scenario)
  Customer would use aws sso login and then rely on CredentialsProfileStoreChain factory

  var awsOptions = new AWSOptions { Region = RegionEndpoint.USEast1, Profile = "SSOAdmin", }; var client = awsOptions.CreateServiceClient<IAmazonS3>(); var buckets = await client.ListBucketsAsync();

  In this case, since now SSOAWSCredentialsOptions.SupportsGettingNewToken would resolve to false, it would eventually throw AmazonClientException with message:

  • SSO Token has expired and failed to refresh when token is expired.
  • No valid SSO Token could be found. where no token is found.

• Customer explicitly created SSO credentials (refer example at https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/sso-tutorial-app-only.html)

  var ssoCreds = LoadSsoCredentials("SSOAdmin"); // Display the caller's identity. var ssoProfileClient = new AmazonSecurityTokenServiceClient(ssoCreds); Console.WriteLine($"\nSSO Profile:\n {await ssoProfileClient.GetCallerIdentityArn()}"); static AWSCredentials LoadSsoCredentials(string profile) { var chain = new CredentialProfileStoreChain(); if (!chain.TryGetAWSCredentials(profile, out var credentials)) throw new Exception($"Failed to find the {profile} profile"); var ssoCredentials = credentials as SSOAWSCredentials; ssoCredentials.Options.ClientName = "Example-SSO-App"; ssoCredentials.Options.SsoVerificationCallback = args => { // Launch a browser window that prompts the SSO user to complete an SSO login. // This method is only invoked if the session doesn't already have a valid SSO token. // NOTE: Process.Start might not support launching a browser on macOS or Linux. If not, // use an appropriate mechanism on those systems instead. Process.Start(new ProcessStartInfo { FileName = args.VerificationUriComplete, UseShellExecute = true }); }; ssoCredentials.Options.SupportsGettingNewToken = true; return ssoCredentials; } // Class to read the caller's identity. public static class Extensions { public static async Task<string> GetCallerIdentityArn(this IAmazonSecurityTokenService stsClient) { var response = await stsClient.GetCallerIdentityAsync(new GetCallerIdentityRequest()); return response.Arn; } }

AWS Toolkit for Visual Studio and PowerShell already explicitly set SSOAWSCredentialsOptions.SupportsGettingNewToken to true.

IMPORTANT: We would also need to update the examples in V4 developer guide at Tutorial for SSO using only .NET applications (this is a link from V3 developer guide, use similar link from V4 developer guide) to explicitly set ssoCredentials.Options.SupportsGettingNewToken = true; as the default value is false. (expand List Amazon S3 buckets and List IAM users collapsible sections)

---

NOTE: There is perhaps another issue. The API documentation for Profile states that Represents a profile in the configuration file. For example in ~/.aws/config [profile foo] name = value Profile profile = new Profile("foo"); When this is set on the ClientConfig and that config is passed to the service client constructor the sdk will try to find the credentials associated with the Profile.Name property If set, this will override AWS_PROFILE and AWSConfigs.ProfileName.

When I use code like below:

 var securityTokenResponse = (new AmazonSecurityTokenServiceClient( new AmazonSecurityTokenServiceConfig() { Profile = new Profile("SSOAdmin") }) ).GetCallerIdentityAsync(new GetCallerIdentityRequest()).Result;

It doesn't consider the passed profile based on logic here (for V4) and here (for V3).

Motivation and Context

GitHub issue/discussion:

• Misleading error message from SystemsManagerExtensions.AddSystemsManager() #3704
• How to handle unauthenticated case when using user profile method? #3535

Testing

Dry-run DRY_RUN-a741bd15-07fd-48e3-b260-603408b4134b completed successfully.

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist

• My code follows the code style of this project
• My change requires a change to the documentation
• I have updated the documentation accordingly
• I have read the README document
• I have added tests to cover my changes
• All new and existing tests passed

License

• I confirm that this pull request can be released under the Apache 2 license

[ashishdhingra]

@dscpinheiro @afroz429 Addressed review comments in latest commit. Please review. I will trigger fresh dry-run.