AWS Developer Blog

AWS SSO Support in the AWS SDK for Go

The Go SDK team is excited to announce support for AWS Single Sign-On (SSO) credential providers in the AWS SDK for Go version 1 and version 2. The AWS SSO credential provider allows you to retrieve temporary AWS credentials associated with an AWS account and a role that you have been authorized to use with AWS SSO. The SDK seamlessly integrates with your AWS SSO named profiles that have been configured and signed-in using the AWS CLI v2. Let’s take a look at how you can quickly get started using AWS SSO in your Go applications.

Getting Started

  1. To get started with AWS SSO in your Go application, configure the AWS SSO named profile using the AWS CLI. Simply follow the Configuring the AWS CLI to use AWS Single Sign-On user guide to create your profile. In this example, dev-profile has been created using the AWS CLI and has been configured with the required AWS SSO parameters.
    [profile dev-profile]
    sso_start_url = https://company-sso-portal.awsapps.com/start
    sso_region = us-west-2
    sso_account_id = 012345678901
    sso_role_name = Developer
    region = us-east-1
  2. Next, initiate a login with AWS SSO using the AWS CLI and the profile configured in step one. After invoking the AWS CLI you will be prompted to open up the provided URL in a web browser and authenticate using your AWS SSO credentials. Upon successful authentication and authorization your session will be cached and can be used by the Go SDK.
    $ aws sso login --profile dev-profile
    Attempting to automatically open the SSO authorization page in your default browser.
    If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
    
    https://device.sso.us-west-2.amazonaws.com/
    
    Then enter the code:
    
    ABCD-EFGH
    Successully logged into Start URL: https://company-sso-portal.awsapps.com/start
  3. Configure your Go application to use your AWS SSO profile that you have created and logged in with in the previous steps. Examples below shows how to configure the v1 and v2 SDK to use dev-profile and use the AWS SSO temporary credentials to call AWS Security Token Service.

    v1 Example

    package main
    
    import (
        "fmt"
        "os"
    
        "github.com/aws/aws-sdk-go/aws"
        "github.com/aws/aws-sdk-go/aws/session"
        "github.com/aws/aws-sdk-go/service/sts"
    )
    
    func main() {
        sess, err := session.NewSessionWithOptions(session.Options{
            SharedConfigState: session.SharedConfigEnable, // Must be set to enable
            Profile:           "dev-profile",
        })
        if err != nil {
            fmt.Println("error:", err)
            os.Exit(1)
        }
    
        client := sts.New(sess)
    
        identity, err := client.GetCallerIdentity(&sts.GetCallerIdentityInput{})
        if err != nil {
            fmt.Println("error:", err)
            os.Exit(1)
        }
    
        fmt.Printf(
            "Account: %s\nUserID: %s\nARN: %s\n",
            aws.StringValue(identity.Account),
            aws.StringValue(identity.UserId),
            aws.StringValue(identity.Arn),
        )
    }

    v2 Example

    package main
    
    import (
        "context"
        "fmt"
        "os"
    
        "github.com/aws/aws-sdk-go-v2/aws"
        "github.com/aws/aws-sdk-go-v2/config"
        "github.com/aws/aws-sdk-go-v2/service/sts"
    )
    
    func main() {
        cfg, err := config.LoadDefaultConfig(
            context.TODO(),
            config.WithSharedConfigProfile("dev-profile"),
        )
        if err != nil {
            fmt.Println("error:", err)
            os.Exit(1)
        }
    
        client := sts.NewFromConfig(cfg)
    
        identity, err := client.GetCallerIdentity(
            context.TODO(),
            &sts.GetCallerIdentityInput{},
        )
        if err != nil {
            fmt.Println("error:", err)
            os.Exit(1)
        }
    
        fmt.Printf(
            "Account: %s\nUserID: %s\nARN: %s\n",
            aws.ToString(identity.Account),
            aws.ToString(identity.UserId),
            aws.ToString(identity.Arn),
        )
    }
  4. After you compile and run the example code, you should see the identity details output to your terminal. In this example the v2 code is copied into main.go, and the Go compiler is executed to build and run the binary.
    $ go run main.go
    Account: 012345678901
    UserID: ABCD5FTR123ABCDEFGH12:username
    ARN: arn:aws:sts::012345678901:assumed-role/AWSReservedSSO_Developer_d23a4f8358fbfc69/username
  5. When you are done with your AWS SSO session you can explicitly log out of all AWS SSO sessions by using aws sso logout or you may wait for the credentials to reach their expiration time.

Additional Resources

As you can see, you can quickly get started using the AWS SSO credential provider in the AWS SDK for Go. As long as you have signed-in to AWS SSO using the AWS CLI and those cached credentials have not expired, the SDK will be able to retrieve temporary AWS credentials that can be used by your application to call AWS services. To learn more about using AWS SSO with the Go SDK see the Developer Guide, and to learn more about AWS SSO see the AWS Single Sign-On User Guide.

If you encounter any issues or have feedback regarding the AWS SSO integration in the Go SDK you can reach out to the team on GitHub using the appropriate SDK version link: