sso client should not check for creds

[benjamin-asdf]

Dependencies

e.g.

{:deps         com.cognitect.aws/api {:mvn/version "0.8.539"},
        com.cognitect.aws/endpoints {:mvn/version "1.1.12.110"},
        com.cognitect.aws/identitystore
        {:mvn/version "811.2.958.0",
         :aws/serviceFullName "AWS SSO Identity Store"},
}

Repro

(ns
    sso
    (:require
     [cognitect.aws.client.api
      :as
      aws]))

(def client (aws/client {:api :sso}))

;; obtain an access token
;; this will fail, if you  do not have a default profile configured

(aws/invoke
 client
 {:op :GetRoleCredentials
  :request {:accessToken "fo"
            :roleName "role"
            :accountId "id"}})
            
;; expectation: get some validation err because the accessToken is "fo"''

Feb 19, 2022 4:19:57 PM clojure.tools.logging$eval15553$fn__15556 invoke
INFO: Unable to fetch credentials from environment variables.
Feb 19, 2022 4:19:57 PM clojure.tools.logging$eval15553$fn__15556 invoke
INFO: Unable to fetch credentials from system properties.
Feb 19, 2022 4:19:57 PM clojure.tools.logging$eval15553$fn__15556 invoke
INFO: Unable to fetch credentials from aws profiles file.
Feb 19, 2022 4:20:00 PM clojure.tools.logging$eval15553$fn__15556 invoke
INFO: Unable to fetch credentials from any source.

It fails too early in this case.
Sso should be a specail case where it doesn't look for creds because the use
case is that you fetch exactly those creds.

workaround:

configure a default profile (with keys)

set system props to some dummy values etc.

[benjamin-asdf]

babashka/pod-babashka-aws#55

[dchelimsky]

We're looking into this. We have a few possible ways to handle this case, and need to figure out which solves the problem in the most general way without breaking things or introducing new dependencies. Please stand by.

[dchelimsky]

@benjamin-asdf when I run your example with a dummy profile configured, I get this:

{:cognitect.anomalies/category :cognitect.anomalies/fault,
 :cognitect.anomalies/message
 "HTTP protocol violation: Authentication challenge without WWW-Authenticate header",
 ,,,}

Is that the validation err you get?

[benjamin-asdf]

(aws/invoke
 (aws/client {:api :sso})
 {:op :GetRoleCredentials
  :request {:accessToken "fo"
            :roleName "role"
            :accountId "id"}})

;; without dummy

#:cognitect.anomalies{:category :cognitect.anomalies/fault, :message "Unable to fetch credentials. See log for more details."}

;; with dummy ~/.aws/credentials

[default]
aws_secret_access_key = _
aws_access_key_id = _
aws_session_token = _

{:cognitect.anomalies/category :cognitect.anomalies/fault, :cognitect.anomalies/message "HTTP protocol violation: Authentication challenge without WWW-Authenticate header", :cognitect.http-client/throwable #error {
 :cause "HTTP protocol violation: Authentication challenge without WWW-Authenticate header"
 ,,,

yea seems to be the same
@dchelimsky