aws-sdk-go icon indicating copy to clipboard operation
aws-sdk-go copied to clipboard

Published 20 hours ago verified publisher icon aws

aws-sdk-go doens't support new sso-session in a shared config

Open ksauzz opened this issue 2 years ago • 3 comments

Describe the bug

2 weeks ago, awscli v2.9.0 was released and introduced sso-session section in $HOME/.aws/config. But it seetms aws-sdk-go doesn't support it yet, and failed to load the config.

Expected Behavior

aws-sdk-go should load sso-session section from a shared config correctly.

Current Behavior

aws-sdk-go just ignored sso-session section, and failed by missing required configuration: sso_region, sso_start_url.

Reproduction Steps

  1. install awscli v2.9.0 or later.
  2. create a shared config by aws configure sso
  3. load the config from aws-sdk-go. I used session manager plugin.

Possible Solution

No response

Additional Information/Context

It would be nice if session manager plugin team in AWS would update aws-sdk-go version after releasing the fix.

SDK version used

v1.40.17

Environment details (Version of Go (go version)? OS name and version, etc.)

Linux

ksauzz avatar Dec 01 '22 07:12 ksauzz

@ksauzz thanks for reaching out. would you be able to show us whats in your shared config located at ~/.aws/config? feel free to stub out any sensitive information

isaiahvita avatar Dec 01 '22 22:12 isaiahvita

Our config which hit the issue is the following:

[profile xxx]
sso_session = xxx
sso_account_id = xxxxxxxxxx
sso_role_name = xxxxxxxxxx
region = ap-northeast-1
sso_region = ap-northeast-1
output = json
[sso-session xxx]
sso_start_url = https://d-xxxxxxxxxx.awsapps.com/start
sso_region = ap-northeast-1
sso_registration_scopes = sso:account:access

You can find the similar example here.

ksauzz avatar Dec 02 '22 00:12 ksauzz

According to https://github.com/hashicorp/terraform-provider-aws/issues/28263 it seems aws-sdk-go-v2 already supports this.

ksauzz avatar Dec 13 '22 03:12 ksauzz

What should users do when an application uses AWS-SDK-GO v1 while AWS CLI is creating a new profile? I will request the maintainer's support both profile/config in v1 SDK.

avdhoot avatar Mar 03 '23 19:03 avdhoot

Looks like the only solution is to copy the sso_start_url and sso_region from the sso-session block, delete the sso-session block (and all references to sso_session_name) and then reauthenticate to allow the SDK-v1 sessions to work. If the sso_session_name is configured at all, AWS CLI puts the authentication token in a location the SDK can't find.

kyanar avatar Mar 16 '23 03:03 kyanar

This is an increasingly frustrating bug across the AWS CLI/SDK ecosystem

akbog avatar Mar 29 '23 18:03 akbog

any updates on this?

mericozkayagan avatar Apr 06 '23 07:04 mericozkayagan

It's been almost five months and we still have to login repeatedly.. why is this P3 and have minor priority?

dongho-jung avatar Apr 22 '23 10:04 dongho-jung

I'm also interested, what's the status of this? There were some merged PRs mentioned #4868 & #4875 indicating some kind of handywork in order to fix this, however the first one seemed to also be reverted at some point?

Updating myself: so it seems the #4885 is still open & waiting to be merged to main --> after which we should get the fixes released?

sokopro-vile avatar Jul 05 '23 09:07 sokopro-vile

Yes, when #4885 lands into main it will be made available in the next release.

aajtodd avatar Jul 05 '23 12:07 aajtodd

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] avatar Jul 06 '23 19:07 github-actions[bot]