awslabs/aws-sdk-rust

aws_sdk_sts::assume_role() is hard to use

Opened this issue · 3 comments

Describe the feature

aws_sdk_sts::assume_role() is hard to use, because the Credentials returned by assume_role (aws_sdk_sts::types::Credentials) do not implement the trait ProvideCredentials; for that, you need something like aws_sdk_sts::config::Credentials.

Use Case

I expect to be able to call assume_role() and use the result to create and sdk client

Proposed Solution

Ideally, you would provide some way to very simply use the output of assume_role to create clients of the other aws sdks.

At a minimum, you would provide, in the documentation of assume_role, the code needed to make that happen, which is something like

let types_cred = creds.credentials.unwrap();
let config_creds = aws_sdk_sts::config::Credentials::new(
   types_cred.access_key_id(),
   types_cred.secret_access_key(),
   Some(types_cred.session_token().to_string()),
   Some(std::time::SystemTime::UNIX_EPOCH + std::time::Duration::from_secs(types_cred.expiration().secs() as u64)),
   "SomeProvider"
);

let cred_prov = aws_sdk_kms::config::SharedCredentialsProvider::new(config_creds);
let kms_config = aws_sdk_kms::config::Builder::from(&sdk_config)
            .credentials_provider(cred_prov)

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

A note for the community

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue, please leave a comment

You generally don't need to utilize the STS client directly to assume a role. The default credential chain will handle assume role calls configured via profiles.

If you really want to manually configure an STS assume role call you can leverage the AssumeRoleProvider from aws-config which implements ProvideCredentials already and does the required conversions.

Direct support for turning the output of aws_sdk_sts::Client::assume_role() into impl ProvideCredentials isn't something we plan on supporting (we'd recommend the aforementioned AssumeRoleProvider for this). There are a few reasons why but probably the most important is this would boil down to configuring static credentials for the SDK. This configures the SDK in a way that can't be refreshed which is a pattern we don't want to push people to.


I am curious what kind of setup you have where you are manually needing to configure credential providers directly. When possible we'd recommend trying to take advantage of the default chain which will work in a number of environments out of the box configured externally which makes your application easier to deploy from one compute environment to another.

Wow. AssumeRoleProvider is so much better than what I had. Many thanks.
I was transliterating from existing Java code, and the Java code was using aws_sdk_sts::assume_role.

Maybe the documentation for aws_sdk_sts::assume_role could have a pointer to aws_config::sts::AssumeRoleProvider?

Wow. AssumeRoleProvider is so much better than what I had. Many thanks.

Glad to help.

Maybe the documentation for aws_sdk_sts::assume_role could have a pointer to aws_config::sts::AssumeRoleProvider?

Maybe. It would require customizing code generation specifically for that model. This kind of content would probably make the most sense from the developer guide.