add logincreds provider (#3230)

Author: lucix-aws

.changelog/c38752ce4b6e436dada27328145e3f4f.json

@@ -0,0 +1,10 @@
+{
+    "id": "c38752ce-4b6e-436d-ada2-7328145e3f4f",
+    "type": "feature",
+    "description": "Add support for AWS Login credentials (package credentials/logincreds) to the default credential chain.",
+    "modules": [
+        ".",
+        "config",
+        "credentials"
+    ]
+}

aws/credentials.go

@@ -118,6 +118,10 @@ const (
 	CredentialSourceHTTP
 	// CredentialSourceIMDS credentials resolved from the instance metadata service (IMDS)
 	CredentialSourceIMDS
+	// CredentialSourceProfileLogin credentials resolved from an `aws login` session sourced from a profile
+	CredentialSourceProfileLogin
+	// CredentialSourceLogin credentials resolved from an `aws login` session
+	CredentialSourceLogin
 )
 
 // A Credentials is the AWS credentials value for individual credential fields.

aws/middleware/user_agent.go

@@ -137,6 +137,9 @@ const (
 	UserAgentFeatureCredentialsIMDS                 = "0"
 
 	UserAgentFeatureBearerServiceEnvVars = "3"
+
+	UserAgentFeatureCredentialsProfileLogin = "AC"
+	UserAgentFeatureCredentialsLogin        = "AD"
 )
 
 var credentialSourceToFeature = map[aws.CredentialSource]UserAgentFeature{
@@ -160,6 +163,8 @@ var credentialSourceToFeature = map[aws.CredentialSource]UserAgentFeature{
 	aws.CredentialSourceProcess:              UserAgentFeatureCredentialsProcess,
 	aws.CredentialSourceHTTP:                 UserAgentFeatureCredentialsHTTP,
 	aws.CredentialSourceIMDS:                 UserAgentFeatureCredentialsIMDS,
+	aws.CredentialSourceProfileLogin:         UserAgentFeatureCredentialsProfileLogin,
+	aws.CredentialSourceLogin:                UserAgentFeatureCredentialsLogin,
 }
 
 // RequestUserAgent is a build middleware that set the User-Agent for the request.

config/go.mod

@@ -7,6 +7,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/credentials v1.18.25
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.0
 	github.com/aws/aws-sdk-go-v2/service/sso v1.30.3
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.7
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.0
@@ -36,6 +37,8 @@ replace github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding => ../serv
 
 replace github.com/aws/aws-sdk-go-v2/service/internal/presigned-url => ../service/internal/presigned-url/
 
+replace github.com/aws/aws-sdk-go-v2/service/signin => ../service/signin/
+
 replace github.com/aws/aws-sdk-go-v2/service/sso => ../service/sso/
 
 replace github.com/aws/aws-sdk-go-v2/service/ssooidc => ../service/ssooidc/

config/resolve_credentials.go

@@ -13,10 +13,12 @@ import (
 	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds"
 	"github.com/aws/aws-sdk-go-v2/credentials/endpointcreds"
+	"github.com/aws/aws-sdk-go-v2/credentials/logincreds"
 	"github.com/aws/aws-sdk-go-v2/credentials/processcreds"
 	"github.com/aws/aws-sdk-go-v2/credentials/ssocreds"
 	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
 	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
+	"github.com/aws/aws-sdk-go-v2/service/signin"
 	"github.com/aws/aws-sdk-go-v2/service/sso"
 	"github.com/aws/aws-sdk-go-v2/service/ssooidc"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
@@ -172,7 +174,10 @@ func resolveCredsFromProfile(ctx context.Context, cfg *aws.Config, envConfig *En
 			ctx = addCredentialSource(ctx, aws.CredentialSourceProfileSSO)
 		}
 		err = resolveSSOCredentials(ctx, cfg, sharedConfig, configs)
-
+	case len(sharedConfig.LoginSession) > 0:
+		ctx = addCredentialSource(ctx, aws.CredentialSourceProfileLogin)
+		ctx = addCredentialSource(ctx, aws.CredentialSourceLogin)
+		err = resolveLoginCredentials(ctx, cfg, sharedConfig, configs)
 	case len(sharedConfig.CredentialProcess) != 0:
 		// Get credentials from CredentialProcess
 		ctx = addCredentialSource(ctx, aws.CredentialSourceProfileProcess)
@@ -625,3 +630,21 @@ func addCredentialSource(ctx context.Context, source aws.CredentialSource) conte
 func getCredentialSources(ctx context.Context) []aws.CredentialSource {
 	return ctx.Value(credentialSource{}).([]aws.CredentialSource)
 }
+
+func resolveLoginCredentials(ctx context.Context, cfg *aws.Config, sharedCfg *SharedConfig, configs configs) error {
+	cacheDir := os.Getenv("AWS_LOGIN_CACHE_DIRECTORY")
+	tokenPath, err := logincreds.StandardCachedTokenFilepath(sharedCfg.LoginSession, cacheDir)
+	if err != nil {
+		return err
+	}
+
+	svc := signin.NewFromConfig(*cfg)
+	provider := logincreds.New(svc, tokenPath, func(o *logincreds.Options) {
+		o.CredentialSources = getCredentialSources(ctx)
+	})
+	cfg.Credentials, err = wrapWithCredentialsCache(ctx, configs, provider)
+	if err != nil {
+		return err
+	}
+	return nil
+}

config/shared_config.go

@@ -125,6 +125,8 @@ const (
 	checksumWhenRequired          = "when_required"
 
 	authSchemePreferenceKey = "auth_scheme_preference"
+
+	loginSessionKey = "login_session"
 )
 
 // defaultSharedConfigProfile allows for swapping the default profile for testing
@@ -362,6 +364,9 @@ type SharedConfig struct {
 
 	// Priority list of preferred auth scheme names (e.g. sigv4a).
 	AuthSchemePreference []string
+
+	// Session ARN from an `aws login` session.
+	LoginSession string
 }
 
 func (c SharedConfig) getDefaultsMode(ctx context.Context) (value aws.DefaultsMode, ok bool, err error) {
@@ -897,6 +902,8 @@ func mergeSections(dst *ini.Sections, src ini.Sections) error {
 			ssoStartURLKey,
 
 			authSchemePreferenceKey,
+
+			loginSessionKey,
 		}
 		for i := range stringKeys {
 			if err := mergeStringKey(&srcSection, &dstSection, sectionName, stringKeys[i]); err != nil {
@@ -1175,6 +1182,8 @@ func (c *SharedConfig) setFromIniSection(profile string, section ini.Section) er
 
 	c.AuthSchemePreference = toAuthSchemePreferenceList(section.String(authSchemePreferenceKey))
 
+	updateString(&c.LoginSession, section, loginSessionKey)
+
 	return nil
 }
 

credentials/go.mod

@@ -5,6 +5,7 @@ go 1.23
 require (
 	github.com/aws/aws-sdk-go-v2 v1.39.6
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.0
 	github.com/aws/aws-sdk-go-v2/service/sso v1.30.3
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.7
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.0
@@ -30,6 +31,8 @@ replace github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding => ../serv
 
 replace github.com/aws/aws-sdk-go-v2/service/internal/presigned-url => ../service/internal/presigned-url/
 
+replace github.com/aws/aws-sdk-go-v2/service/signin => ../service/signin/
+
 replace github.com/aws/aws-sdk-go-v2/service/sso => ../service/sso/
 
 replace github.com/aws/aws-sdk-go-v2/service/ssooidc => ../service/ssooidc/

credentials/logincreds/dpop.go

@@ -0,0 +1,150 @@
+package logincreds
+
+import (
+	"context"
+	"crypto/ecdsa"
+	cryptorand "crypto/rand"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+
+	"github.com/aws/aws-sdk-go-v2/internal/sdk"
+	"github.com/aws/aws-sdk-go-v2/service/signin"
+	"github.com/aws/smithy-go/middleware"
+	smithyrand "github.com/aws/smithy-go/rand"
+	smithyhttp "github.com/aws/smithy-go/transport/http"
+)
+
+// AWS signin DPOP always uses the P256 curve
+const curvelen = 256 / 8 // bytes
+
+// https://datatracker.ietf.org/doc/html/rfc9449
+func mkdpop(token *loginToken, htu string) (string, error) {
+	key, err := parseKey(token.DPOPKey)
+	if err != nil {
+		return "", fmt.Errorf("parse key: %w", err)
+	}
+
+	header, err := jsonb64(&dpopHeader{
+		Typ: "dpop+jwt",
+		Alg: "ES256",
+		Jwk: &dpopHeaderJwk{
+			Kty: "EC",
+			X:   base64.RawURLEncoding.EncodeToString(key.X.Bytes()),
+			Y:   base64.RawURLEncoding.EncodeToString(key.Y.Bytes()),
+			Crv: "P-256",
+		},
+	})
+	if err != nil {
+		return "", fmt.Errorf("marshal header: %w", err)
+	}
+
+	uuid, err := smithyrand.NewUUID(cryptorand.Reader).GetUUID()
+	if err != nil {
+		return "", fmt.Errorf("uuid: %w", err)
+	}
+
+	payload, err := jsonb64(&dpopPayload{
+		Jti: uuid,
+		Htm: "POST",
+		Htu: htu,
+		Iat: sdk.NowTime().Unix(),
+	})
+	if err != nil {
+		return "", fmt.Errorf("marshal payload: %w", err)
+	}
+
+	msg := fmt.Sprintf("%s.%s", header, payload)
+
+	h := sha256.New()
+	h.Write([]byte(msg))
+
+	r, s, err := ecdsa.Sign(cryptorand.Reader, key, h.Sum(nil))
+	if err != nil {
+		return "", fmt.Errorf("sign: %w", err)
+	}
+
+	// DPOP signatures are formatted in RAW r || s form (with each value padded
+	// to fit in curve size which in our case is always the 256 bits) - rather
+	// than encoded in something like asn.1
+	sig := make([]byte, curvelen*2)
+	r.FillBytes(sig[0:curvelen])
+	s.FillBytes(sig[curvelen:])
+
+	dpop := fmt.Sprintf("%s.%s", msg, base64.RawURLEncoding.EncodeToString(sig))
+	return dpop, nil
+}
+
+func parseKey(pemBlock string) (*ecdsa.PrivateKey, error) {
+	block, _ := pem.Decode([]byte(pemBlock))
+	priv, err := x509.ParseECPrivateKey(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("parse ec private key: %w", err)
+	}
+
+	return priv, nil
+}
+
+func jsonb64(v any) (string, error) {
+	j, err := json.MarshalIndent(v, "", "  ")
+	if err != nil {
+		return "", err
+	}
+
+	return base64.RawURLEncoding.EncodeToString(j), nil
+}
+
+type dpopHeader struct {
+	Typ string         `json:"typ"`
+	Alg string         `json:"alg"`
+	Jwk *dpopHeaderJwk `json:"jwk"`
+}
+
+type dpopHeaderJwk struct {
+	Kty string `json:"kty"`
+	X   string `json:"x"`
+	Y   string `json:"y"`
+	Crv string `json:"crv"`
+}
+
+type dpopPayload struct {
+	Jti string `json:"jti"`
+	Htm string `json:"htm"`
+	Htu string `json:"htu"`
+	Iat int64  `json:"iat"`
+}
+
+type signDPOP struct {
+	Token *loginToken
+}
+
+func addSignDPOP(token *loginToken) func(o *signin.Options) {
+	return signin.WithAPIOptions(func(stack *middleware.Stack) error {
+		return stack.Finalize.Add(&signDPOP{token}, middleware.After)
+	})
+}
+
+func (*signDPOP) ID() string {
+	return "signDPOP"
+}
+
+func (m *signDPOP) HandleFinalize(
+	ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
+	out middleware.FinalizeOutput, md middleware.Metadata, err error,
+) {
+	req, ok := in.Request.(*smithyhttp.Request)
+	if !ok {
+		return out, md, fmt.Errorf("unexpected transport type %T", req)
+	}
+
+	dpop, err := mkdpop(m.Token, req.URL.String())
+	if err != nil {
+		return out, md, fmt.Errorf("sign dpop: %w", err)
+	}
+
+	req.Header.Set("DPoP", dpop)
+	return next.HandleFinalize(ctx, in)
+}

credentials/logincreds/dpop_test.go

@@ -0,0 +1,37 @@
+package logincreds
+
+import (
+	"crypto/ecdsa"
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"math/big"
+	"strings"
+	"testing"
+)
+
+// the signature is random so the only way to test that is to actually
+// cryptographically verify the signature
+func TestDPOP(t *testing.T) {
+	token, key := mockToken()
+	dpop, err := mkdpop(token, "htu")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	parts := strings.Split(dpop, ".")
+	sig, err := base64.RawURLEncoding.DecodeString(parts[2])
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	msg := fmt.Sprintf("%s.%s", parts[0], parts[1])
+	h := sha256.New()
+	h.Write([]byte(msg))
+
+	r := new(big.Int).SetBytes(sig[0:curvelen])
+	s := new(big.Int).SetBytes(sig[curvelen:])
+	if !ecdsa.Verify(&key.PublicKey, h.Sum(nil), r, s) {
+		t.Error("ecdsa signature verify failed")
+	}
+}

credentials/logincreds/file.go

@@ -0,0 +1,14 @@
+package logincreds
+
+import (
+	"io"
+	"os"
+)
+
+var openFile func(string) (io.ReadCloser, error) = func(name string) (io.ReadCloser, error) {
+	return os.Open(name)
+}
+
+var createFile func(string) (io.WriteCloser, error) = func(name string) (io.WriteCloser, error) {
+	return os.Create(name)
+}