credential_process and sso_* options are mutually exclusive in AWS SDK for Go

[aidansteele]

The AWS SDK for Go has the following lines:

func (cfg *sharedConfig) validateCredentialType() error {
	// Only one or no credential type can be defined.
	if !oneOrNone(
		len(cfg.SourceProfileName) != 0,
		len(cfg.CredentialSource) != 0,
		len(cfg.CredentialProcess) != 0,
		len(cfg.WebIdentityTokenFile) != 0,
		cfg.hasSSOConfiguration(),
	) {
		return ErrSharedConfigSourceCollision
	}


	return nil
}

https://github.com/aws/aws-sdk-go/blob/4a3fa399d8948450087b360a1d82e8298eb1c25c/aws/session/shared_config.go#L397-L410

Which doesn't play nicely with the generated profiles in ~/.aws/config:

[profile example]
sso_start_url = https://example.awsapps.com/start
sso_region = us-east-1
sso_account_id = 0123456789012
sso_role_name = example-role
region = us-east-1
credential_process = aws-sso-credential-process --profile example

Repro code:

package main

import (
	"github.com/aws/aws-sdk-go/aws/session"
)

func main() {
	_, err := session.NewSessionWithOptions(session.Options{
		Profile: "example",
		SharedConfigState: session.SharedConfigEnable,
	})
	if err != nil {
	    panic(err)
	}
}

I've only just started using this tool so I don't yet have a solution on how to best fix this.

[benkehoe]

There's an open issue on the Go SDK for this; as far as I know it's the only SDK to raise an error when there are multiple credential source options defined in a profile. The credential_process entry can be disabled during generation with --no-credential-process, but without a change to the Go SDK, I don't see a solution to the problem. aws/aws-sdk-go#3763

[benkehoe]

I've also added an info box to the docs: https://github.com/benkehoe/aws-sso-util/blob/master/docs/configure.md

[benkehoe]

Fixed in the AWS Go SDK as of version 1.38.42. aws/aws-sdk-go#3913