Skip to content

SSO interactive login#419

Open
mnapoli wants to merge 3 commits into
4.xfrom
sso-interactive-login
Open

SSO interactive login#419
mnapoli wants to merge 3 commits into
4.xfrom
sso-interactive-login

Conversation

@mnapoli

@mnapoli mnapoli commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

This starts the SSO login process automatically when needed:

Screen-004660

Before that, one had to run aws sso login --profile=xxx manually when credentials were expired.

mnapoli added 3 commits July 7, 2026 14:34
Replaces the hand-rolled stdin/stdout TTY + CI checks in run-compose and
the node log reporter with a single lib/utils/is-interactive helper so the
definitions cannot drift. Two deliberate semantic refinements:

- CI=false now means "not running in CI" (the ci-info convention), where
  any non-empty CI value previously counted as CI.
- Callers whose flow only displays output can pass requireStdin: false to
  allow piped stdin (used by the upcoming SSO device login).

Claude-Session: https://claude.ai/code/session_01XjKyVVZTqg7EmwqRgGtjwc
Passing the options object through to the native Error constructor makes
ServerlessError support the standard { cause } option, so wrappers can
preserve the underlying error alongside a user-facing message.

Claude-Session: https://claude.ai/code/session_01XjKyVVZTqg7EmwqRgGtjwc
When credential resolution fails with a CredentialsProviderError for a
profile that fromIni routes through SSO, run the OIDC device-authorization
flow (print the verification URL and user code, poll for the token, write
the SDK-compatible token cache) and retry the provider once.

Key behaviors:
- Profile routing mirrors fromIni: role-chaining profiles (role_arn +
  source_profile) are followed to the profile holding the SSO
  configuration; profiles resolving through static keys, credential_source,
  credential_process, or web identity never trigger a login.
- The cached token is deliberately not consulted: the provider just
  failed, so even a fresh-looking token may have been revoked server-side.
- Logins are single-flighted per SSO session, and at most one successful
  login runs per process — if credentials still fail afterwards, the real
  error surfaces instead of another prompt. Failed logins may be retried.
- Non-interactive environments (CI, no stdout TTY) fail fast with
  AWS_SSO_LOGIN_UNAVAILABLE, preserving the original SDK error in the
  message and as the error cause. stdin is not required since the device
  flow only displays a URL.
- AWS_SSO_LOGIN_* errors are recognized by isAwsCredentialError so
  downstream handling keeps treating them as credential problems.

Claude-Session: https://claude.ai/code/session_01XjKyVVZTqg7EmwqRgGtjwc
@mnapoli mnapoli force-pushed the sso-interactive-login branch from 3c35c45 to 6613f91 Compare July 7, 2026 12:34
@mnapoli mnapoli marked this pull request as ready for review July 7, 2026 12:40
@GrahamCampbell GrahamCampbell self-requested a review July 7, 2026 13:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant