SSO interactive login#419
Open
mnapoli wants to merge 3 commits into
Open
Conversation
Replaces the hand-rolled stdin/stdout TTY + CI checks in run-compose and the node log reporter with a single lib/utils/is-interactive helper so the definitions cannot drift. Two deliberate semantic refinements: - CI=false now means "not running in CI" (the ci-info convention), where any non-empty CI value previously counted as CI. - Callers whose flow only displays output can pass requireStdin: false to allow piped stdin (used by the upcoming SSO device login). Claude-Session: https://claude.ai/code/session_01XjKyVVZTqg7EmwqRgGtjwc
Passing the options object through to the native Error constructor makes
ServerlessError support the standard { cause } option, so wrappers can
preserve the underlying error alongside a user-facing message.
Claude-Session: https://claude.ai/code/session_01XjKyVVZTqg7EmwqRgGtjwc
When credential resolution fails with a CredentialsProviderError for a profile that fromIni routes through SSO, run the OIDC device-authorization flow (print the verification URL and user code, poll for the token, write the SDK-compatible token cache) and retry the provider once. Key behaviors: - Profile routing mirrors fromIni: role-chaining profiles (role_arn + source_profile) are followed to the profile holding the SSO configuration; profiles resolving through static keys, credential_source, credential_process, or web identity never trigger a login. - The cached token is deliberately not consulted: the provider just failed, so even a fresh-looking token may have been revoked server-side. - Logins are single-flighted per SSO session, and at most one successful login runs per process — if credentials still fail afterwards, the real error surfaces instead of another prompt. Failed logins may be retried. - Non-interactive environments (CI, no stdout TTY) fail fast with AWS_SSO_LOGIN_UNAVAILABLE, preserving the original SDK error in the message and as the error cause. stdin is not required since the device flow only displays a URL. - AWS_SSO_LOGIN_* errors are recognized by isAwsCredentialError so downstream handling keeps treating them as credential problems. Claude-Session: https://claude.ai/code/session_01XjKyVVZTqg7EmwqRgGtjwc
3c35c45 to
6613f91
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This starts the SSO login process automatically when needed:
Before that, one had to run
aws sso login --profile=xxxmanually when credentials were expired.