Created
February 13, 2026 17:33
-
-
Save souenzzo/42060567479ab2dd916769f1d73042fa to your computer and use it in GitHub Desktop.
How to connect into datomic (peer/on-prem) using AWS SSO
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (ns user.aws-sso-credentials | |
| (:require [clojure.string :as string] | |
| [cognitect.aws.credentials :as credentials]) | |
| (:import (java.time Duration InstantSource) | |
| (software.amazon.awssdk.auth.credentials AwsCredentials AwsCredentialsProvider ProfileCredentialsProvider) | |
| (software.amazon.awssdk.identity.spi AwsSessionCredentialsIdentity))) | |
| (set! *warn-on-reflection* true) | |
| (defn aws-session-credentials | |
| [now credentials] | |
| (let [expiration-time (AwsSessionCredentialsIdentity/.expirationTime credentials)] | |
| (merge {:aws/access-key-id (AwsCredentials/.accessKeyId credentials) | |
| :aws/secret-access-key (AwsCredentials/.secretAccessKey credentials) | |
| :aws/session-token (AwsSessionCredentialsIdentity/.sessionToken credentials)} | |
| (when (.isPresent expiration-time) | |
| {::credentials/ttl (.toSeconds (Duration/between now (.get expiration-time)))})))) | |
| (defn provider | |
| "A version of `profile-credentials-provider` that supports SSO. Can be used in any AWS-API service." | |
| [& {:keys [aws-credentials-provider instant-source profile-name] | |
| :or {instant-source (InstantSource/system)}}] | |
| (let [aws-credentials-provider (or | |
| aws-credentials-provider | |
| (if profile-name | |
| (ProfileCredentialsProvider/create (name profile-name)) | |
| (ProfileCredentialsProvider/create)))] | |
| (credentials/cached-credentials-with-auto-refresh | |
| (reify credentials/CredentialsProvider | |
| (fetch [_] | |
| (let [credentials (AwsCredentialsProvider/.resolveCredentials aws-credentials-provider)] | |
| (when (and (instance? AwsCredentials credentials) | |
| (instance? AwsSessionCredentialsIdentity credentials)) | |
| (aws-session-credentials (InstantSource/.instant instant-source) credentials)))))))) | |
| (defn export-sso-credentials-to-properties | |
| [{:keys [profile-name]}] | |
| (let [{:aws/keys [access-key-id secret-access-key session-token]} (credentials/fetch | |
| (if profile-name | |
| (provider :profile-name profile-name) | |
| (provider)))] | |
| (System/setProperty "aws.accessKeyId" access-key-id) | |
| (System/setProperty "aws.secretKey" secret-access-key) | |
| (System/setProperty "aws.sessionToken" session-token) | |
| (into {} | |
| (filter (comp #(string/starts-with? % "aws.") | |
| key)) | |
| (System/getProperties)))) | |
| (comment | |
| (export-sso-credentials-to-properties) | |
| (export-sso-credentials-to-properties {:profile-name :prd})) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {:deps {com.cognitect.aws/api {:mvn/version "0.8.735"} | |
| software.amazon.awssdk/auth {:mvn/version "2.41.5"}}} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment