Add SSO credentials provider from AWS SDK v2

[bentsherman]

Close #2295

I currently can't test it properly because we don't use SSO internally, but we will try to set up a test environment.

@multimeric feel free to give it a try in the meantime.

[pditommaso]

Look great. Let's add @bebosudo and @enekui to test it and include the corresponding documentation please

[bentsherman]

Okay, I got it to work with our test SSO user.

Run aws configure sso and provide the SSO start URL and SSO region. It will create a profile in ~/.aws/config that looks like this:

[profile my-sso-profile]
sso_session = 'my-sso-session'
sso_account_id = '...'
sso_role_name = '...'
[sso-session my-sso-session]
sso_start_url = '...'
sso_region = '...'
sso_registration_scopes = 'sso:account:access'

You can then run a Nextflow pipeline with aws.profile = 'my-sso-profile' in your Nextflow configuration.

You can also run aws configure sso --profile default to make it the default profile.

The SSO region is just the region where the SSO user is authenticated. It is separate from the AWS region, so you can use the SSO profile and then specify any other region via aws.region.

[pditommaso]

Excellent. Let's add a section in the docs after "security credentials" about this

[bentsherman]

Yes, it is documented there.

Also, tests are passing but this "snyk" test is failing, however I can't access it.

[pditommaso]

Not sure about this

[bentsherman]

@pditommaso regarding your comments, I have no idea if these auth methods work or are practical with Nextflow

• AWS_SESSION_TOKEN
• Java system properties
• Web identity token

I documented them because they are implemented in Nextflow, but I have no attachment to them. Ideally we should either document them or remove them.

[bentsherman]

I think AWS_SESSION_TOKEN and web identity token are both related to temporary credentials, so probably not practical for Nextflow. Java system properties should work fine but you might as well use environment variables or Nextflow config.

So I'm fine with not documenting these but then we should also remove them from the code 😄

[pditommaso]

The rationale is to document what's expected to be a feature. Some features can be indirectly implemented by the inherited library, but they should not be documented if there are not meant to be exposed as a supported feature.

[netlify]

✅ Deploy Preview for nextflow-docs-staging ready!

Name	Link
🔨 Latest commit	6f6bfd0
🔍 Latest deploy log	https://app.netlify.com/sites/nextflow-docs-staging/deploys/64a529d2b93b73000845a7bf
😎 Deploy Preview	https://deploy-preview-4045--nextflow-docs-staging.netlify.app/aws
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.