SSO authentication with token provider configuration not working

[Loic-Hakisa]

Hello,
In this doc we can use two way to authenticate with sso using php sdk (SSO token provider & legacy configuration) :
https://docs.aws.amazon.com/sdkref/latest/guide/feature-sso-credentials.html#feature-sso-credentials-profile

With aws/aws-sdk-php version 3.262.4, only legacy configuration is working, but with 3.281.15 SSO token provider configuration work too.
Maybe since this commit :
https://github.com/aws/aws-sdk-php/pull/2628/files

Because we use async-aws with https://github.com/symfony/amazon-sqs-messenger , we need these packages and version to have sso config working :
"async-aws/core": "^1.20",
"async-aws/sso": "^0.1.0",

But it only allow us to use legacy sso configuration, SSO token provider configuration is not working for async, messenger component show this error :
[messenger] No credentials found for profile "test". ["profile" => "test"]

we found in vendors code that we are using chainProvider from async-aws/core (IniFileProvider) who don't allow to use "sso_session" in profile from config file
but the chainProvider CredentialProvider from aws/aws-sdk-php can use sso_session and the SSO token provider configuration.
With async-aws/core the only function now implemented for sso is getCredentialsFromLegacySso($profileData, $profile);

These is our ~/.aws/config who work with messenger component :
[profile test]
sso_start_url = https://test.awsapps.com/start
sso_region = eu-central-1
sso_account_id = 123
sso_role_name = test
region = eu-central-1
output = json

And this one only work with aws-sdk-php for synchronous requests (s3/...), but not for async-aws with symfony messenger (error No credentials found for profile) :

[profile test]
sso_session = my-sso
sso_account_id = 123456
sso_role_name = test
region = eu-central-1
output = json
[sso-session my-sso]
sso_region = eu-central-1
sso_start_url = https://test.awsapps.com/start
sso_registration_scopes = sso:account:access

Do you know if there is a workaround or if we need to wait for awsync-core to enabled SSO token provider ?
Do you have any roadmap on it ?

[stof]

My guess is that the roadmap for supporting the new SSO token providers is "whenever someone contributes it".

[shadowhand]

We've been removing async-aws from our services because the lack of SSO. Would love to see it implemented here.

I have even tried a bit to create a new SSO provider for async-aws, but I keep getting lost trying to figure out how it works. 😢 Hopefully someone smarter than me can do it.

[shadowhand]

@Nyholm @jderusse would either of you be interested in being compensated for implementing this feature?

[jderusse]

Would you mind giving a try to #1831 ?

[shadowhand]

@jderusse thank you so much! 🥇