AWS Developer Tools Blog
AWS SSO Support in the AWS SDK for Go
The Go SDK team is excited to announce support for AWS Single Sign-On (SSO) credential providers in the AWS SDK for Go version 1 and version 2. The AWS SSO credential provider allows you to retrieve temporary AWS credentials associated with an AWS account and a role that you have been authorized to use with AWS SSO. The SDK seamlessly integrates with your AWS SSO named profiles that have been configured and signed-in using the AWS CLI v2. Let’s take a look at how you can quickly get started using AWS SSO in your Go applications.
Getting Started
- To get started with AWS SSO in your Go application, configure the AWS SSO named profile using the AWS CLI. Simply follow the Configuring the AWS CLI to use AWS Single Sign-On user guide to create your profile. In this example,
dev-profilehas been created using the AWS CLI and has been configured with the required AWS SSO parameters. - Next, initiate a login with AWS SSO using the AWS CLI and the profile configured in step one. After invoking the AWS CLI you will be prompted to open up the provided URL in a web browser and authenticate using your AWS SSO credentials. Upon successful authentication and authorization your session will be cached and can be used by the Go SDK.
- Configure your Go application to use your AWS SSO profile that you have created and logged in with in the previous steps. Examples below shows how to configure the v1 and v2 SDK to use
dev-profileand use the AWS SSO temporary credentials to call AWS Security Token Service.v1 Example
package main import ( "fmt" "os" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/sts" ) func main() { sess, err := session.NewSessionWithOptions(session.Options{ SharedConfigState: session.SharedConfigEnable, // Must be set to enable Profile: "dev-profile", }) if err != nil { fmt.Println("error:", err) os.Exit(1) } client := sts.New(sess) identity, err := client.GetCallerIdentity(&sts.GetCallerIdentityInput{}) if err != nil { fmt.Println("error:", err) os.Exit(1) } fmt.Printf( "Account: %s\nUserID: %s\nARN: %s\n", aws.StringValue(identity.Account), aws.StringValue(identity.UserId), aws.StringValue(identity.Arn), ) }v2 Example
package main import ( "context" "fmt" "os" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/sts" ) func main() { cfg, err := config.LoadDefaultConfig( context.TODO(), config.WithSharedConfigProfile("dev-profile"), ) if err != nil { fmt.Println("error:", err) os.Exit(1) } client := sts.NewFromConfig(cfg) identity, err := client.GetCallerIdentity( context.TODO(), &sts.GetCallerIdentityInput{}, ) if err != nil { fmt.Println("error:", err) os.Exit(1) } fmt.Printf( "Account: %s\nUserID: %s\nARN: %s\n", aws.ToString(identity.Account), aws.ToString(identity.UserId), aws.ToString(identity.Arn), ) } - After you compile and run the example code, you should see the identity details output to your terminal. In this example the v2 code is copied into
main.go, and the Go compiler is executed to build and run the binary. - When you are done with your AWS SSO session you can explicitly log out of all AWS SSO sessions by using
aws sso logoutor you may wait for the credentials to reach their expiration time.
Additional Resources
As you can see, you can quickly get started using the AWS SSO credential provider in the AWS SDK for Go. As long as you have signed-in to AWS SSO using the AWS CLI and those cached credentials have not expired, the SDK will be able to retrieve temporary AWS credentials that can be used by your application to call AWS services. To learn more about using AWS SSO with the Go SDK see the Developer Guide, and to learn more about AWS SSO see the AWS Single Sign-On User Guide.
If you encounter any issues or have feedback regarding the AWS SSO integration in the Go SDK you can reach out to the team on GitHub using the appropriate SDK version link: