Working example of using assume_role_with_saml?

[relausen-tlg]

I'm trying to find out how to get aws_sdk_sts::Client::assume_role_with_saml to work, but keep running into the CredentialsNotLoaded error. Can anyone provide or link to a working example of using this?

My code looks like this, where the saml_token has been acquired earlier in the function:

let shared_config = aws_config::from_env().region(region_provider).load().await;
let aws_client = aws_sdk_sts::Client::new(&shared_config);

let result = aws_client.assume_role_with_saml()
    .role_arn("arn:aws:iam::MY_ACCOUNT_NUMBER:role/MY_ROLE")
    .principal_arn("arn:aws:iam::MY_ACCOUNT_NUMBER:saml-provider/MY_PROVIDER")
    .saml_assertion(saml_token)
    .send()
    .await;
let aws_creds = result?.credentials;

[ysaito1001]

Hi @relausen-tlg, thank you for reporting this. What version of aws_sdk_sts crate are you using? Also, are you able to use other Rust SDK crates such as aws_sdk_s3 without the CredentialsNotLoaded error?

cc @DavidSouther for an example for aws_sdk_sts::Client::assume_role_with_saml.

[relausen-tlg]

Thanks for picking this up! The aws_sdk_sts crate version is 0.30.0. And yes, if I run the example "list S3 buckets" code from your repo (https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/rust_dev_preview/examples/s3/src/bin/list-buckets.rs) after having acquired credentials using command line, listing buckets works fine.

Am I using a wrong client setup? When calling assume_role_with_saml there should not be any attempt to load any credentials, but I can't find out if there is another client setup to use in that case.

[DavidSouther]

@ysaito1001 we don't have any docs for using SAML, Rust or otherwise.

[relausen-tlg]

@ysaito1001 we don't have any docs for using SAML, Rust or otherwise.

Ok - thanks for replying! That being said: What I was hoping to find somewhere was a "complete" example of assume_role_with_saml, in the lines of the one for a "normal" assume role (https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/rust_dev_preview/examples/sts/src/bin/assume-role.rs), i.e., including how to set up the config and client. I quoted "complete" since the example code I would love to see could assume that a SAML token had already been acquired.

[relausen-tlg]

Alright, I finally figured it out. My suspicion about an errorneous client setup was right. My mistake was that I followed the instructions in the readme for the STS crate: https://docs.rs/aws-sdk-sts/latest/aws_sdk_sts/index.html. After lots of searching and probing I finally stumbled over a test showing how to create a client the right way: https://github.com/awslabs/smithy-rs/blob/8a3b8f3a00f52c8b16ee6b5a080b8dcf4d89faf5/aws/sdk/integration-tests/sts/tests/signing-it.rs#L45. Using the code here (without the for me unnecessary http_connector) it worked like a charm!

[relausen-tlg]

So the following snippet works for me:

// The region variable in the first line here is set if given by a command line parameter.
let region_provider = RegionProviderChain::first_try(region.map(Region::new))
    .or_default_provider()
    .or_else(Region::new("eu-west-1"));

let config = aws_sdk_sts::Config::builder()
    .region(region_provider.region().await.unwrap())
    .build();

let sts_client = aws_sdk_sts::Client::from_conf(config);
let result = sts_client.assume_role_with_saml()
    .role_arn("arn:aws:iam:: MY_ACCOUNT_NUMBER:role/MY_ROLE")
    .principal_arn("arn:aws:iam:: MY_ACCOUNT_NUMBER:saml-provider/MY_PROVIDER")
    .saml_assertion(saml_token)
    .send()
    .await;
let aws_creds = result?.credentials.unwrap();

If there are even better or more correct ways of doing this (apart from unconditional unwraps 😄 ) then please let me know :-)

[ysaito1001]

Thank you for posting a working snippet. I assume a variable region_provider

// The region variable in the first line here is set if given by a command line parameter.
let region_provider = RegionProviderChain::first_try(region.map(Region::new))
    .or_default_provider()
    .or_else(Region::new("eu-west-1"));

is the same as one used in the first code snippet?

let shared_config = aws_config::from_env().region(region_provider).load().await;

In general, we recommend using aws_config::ConfigLoader::load, since the load method can handle various defaults under the hood. What your working snippet does for creating the variable region_provider, passing it to aws_sdk_sts::config::Builder::region, and passing a resulting config to aws_sdk_sts::Client::from_conf should essentially be what the original snippet does to create a variable aws_client.

[relausen-tlg]

Thank you for spending time on my stupid questions 😄.

Yes, the region_provider is the same in both snippets. I really like that!

I also like the original snippet better, and now I'm really embarrassed, since I managed to overlook the ConfigLoader::no_credentials method. Adding a call to that method in the loader made the original snippet work!

So now I have this working code, which lives up to your recommendation 😄:

// The region variable in the first line here is set if given by a command line parameter.
let region_provider = RegionProviderChain::first_try(region.map(Region::new))
    .or_default_provider()
    .or_else(Region::new("eu-west-1"));

let config = aws_config::from_env()
    .no_credentials()
    .region(region_provider)
    .load()
    .await;

let sts_client = aws_sdk_sts::Client::new(&config);
let result = sts_client.assume_role_with_saml()
    .role_arn("arn:aws:iam::MY_ACCOUNT_NUMBER:role/MY_ROLE")
    .principal_arn("arn:aws:iam::MY_ACCOUNT_NUMBER:saml-provider/MY_PROVIDER")
    .saml_assertion(saml_token)
    .send()
    .await;
let aws_creds = result?.credentials.unwrap();

I'm a happy camper now. Once again: Thank you so much for your help!

[KennethWilke]

I haven't been able to find an easy way to actually use the aws_creds result that you would get from this. The config builder expects an Option<SharedCredentialsProvider> input but I can't yet figure out how to turn the Credentials object into something you can use in a config for building another AWS client.

Does anybody have any suggestions on that? I feel like I'm missing something obvious

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.