aws/internal/providers/sso

AWS SSO (IAM Identity Center) provider — the GetRoleCredentials portal call given an already-cached SSO access token. We don’t implement the device-grant flow that produces the cached token in the first place; the AWS CLI’s aws sso login does that and writes the token to ~/.aws/sso/cache/<hash>.json. We just consume it.

Endpoint shape: GET https://portal.sso..amazonaws.com/federation/credentials ?account_id=&role_name= Header: x-amz-sso_bearer_token: <access_token>

Response: { “roleCredentials”: { accessKeyId, secretAccessKey, sessionToken, expiration (millis since epoch) } }

Types

Error

</>

pub type Error {
  Failed(reason: String)
  Unreachable(reason: String)
}

Constructors

```
Failed(reason: String)
```
Portal answered but the body didn’t carry credentials. Loud.
```
Unreachable(reason: String)
```
Transport failed; treat as not-on-this-machine.

Options

</>

pub type Options {
  Options(
    region: String,
    account_id: String,
    role_name: String,
    access_token: String,
    endpoint: String,
  )
}

Constructors

Options(
  region: String,
  account_id: String,
  role_name: String,
  access_token: String,
  endpoint: String,
)

Arguments

endpoint: Endpoint override for tests. Production callers pass the canonical https://portal.sso.<region>.amazonaws.com URL.

SsoCredentials

</>

pub type SsoCredentials {
  SsoCredentials(
    access_key_id: String,
    secret_access_key: String,
    session_token: String,
    expires_at: Int,
  )
}

Constructors

SsoCredentials(
  access_key_id: String,
  secret_access_key: String,
  session_token: String,
  expires_at: Int,
)

Arguments

expires_at: Unix seconds. The wire value is milliseconds; the caller converts.

Values

default_endpoint

</>

pub fn default_endpoint(region: String) -> String

fetch

</>

pub fn fetch(
  send: fn(request.Request(BitArray)) -> Result(
    response.Response(BitArray),
    http_send.HttpError,
  ),
  options: Options,
) -> Result(SsoCredentials, Error)