aws-toolkit-jetbrains
aws-toolkit-jetbrains copied to clipboard
aws
Plugin does not switch accounts via profiles when using SSO and role_arn
I have the following configuration in my ~/.aws/config file (anonymized for security), but when I switch profiles in the IntelliJ interface, it always shows the resources from the default profile, even though the UI shows the correct profile name.
Important things to note:
- I can switch profiles correctly with the official AWS cli tools, e.g.
aws s3 ls --profile account1shows the correct S3 buckets - I can switch profiles correctly in VS Code with the official AWS plugin
[profile default]
sso_start_url = https://xxxxx.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
sso_account_id = xxxxxxxxxxxx
sso_role_name = DefaultRole
region = eu-west-2
output = json
[profile account1]
sso_start_url = https://xxxxx.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
sso_account_id = 935546219213
sso_role_name = DefaultRole
role_arn = arn:aws:iam::635663820609:role/OrganizationAccountAccessRole
source_profile = default
[profile account2]
sso_start_url = https://xxxxx.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
sso_account_id = xxxxxxxxxxxx
sso_role_name = DefaultRole
role_arn = arn:aws:iam::xxxxxxxxxxxx:role/OrganizationAccountAccessRole
source_profile = default
Toolkit: AWS Toolkit For JetBrains 1.61-223 OS: Mac OS X 13.2.1 IDE: IntelliJ IDEA Ultimate Edition 223
Me either, I am using m1 and cannot see any profiles that use the SSO or assume role. All the SSO profiles are linked to a single sso session. For example,
[profile test]
external_id=1d88xxxx
role_arn=arn:aws:iam::3604xxxx:role/xxxx
role_session_name=test
source_profile=dev
region=ap-northeast-2
[profile dev]
sso_session=common
sso_account_id=2160xxxx
sso_role_name=AdministratorAccess
region=ap-northeast-2
output=json
[default]
sso_session=common
sso_account_id=3701xxxx
sso_role_name=AdministratorAccess
region=ap-northeast-2
output=json
[sso-session common]
sso_start_url=https://xxxx.awsapps.com/start
sso_region=ap-northeast-2
sso_registration_scopes=sso:account:access
and I cannot see all of them. In this case, VSCode is the same.
The problem seems to be specifically with profiles that use the refreshable configuration, and not with those that use the legacy configuration. With other tools I've come across updating the SDK has helped with this, I'm not familiar enough with the Java SDK to verify this here.
I can offer a workaround though:
$ cat ~/.aws/config
[profile foo-legacy]
credential_process=aws configure export-credentials --profile=foo
[profile foo]
sso_session = default
sso_account_id = 123456789012
sso_role_name = bar
[sso-session default]
sso_start_url = https://foo.awsapps.com/start
sso_region = eu-west-2
sso_registration_scopes = sso:account:access
I'm getting this error when changing the config file with your suggestion:
Unable to connect to AWS: Failed to execute credential_process (aws): sh: aws: command not found
Any ideas @mjrlee? 🙏
@aragalie do you have the AWS CLI installed and on your path? It might help to use the full path to aws (defaults to /usr/bin/aws)
You can find where aws is installed (if it is) with:
which aws
Yes, it is @mjrlee . Probably I'll wait then until the team pushes an update to the plugin to properly handle SSO profiles.
I've tried to connect with a similar configuration - when you remove the [sso-session common] as a seperate configuration and add the sso info to each profile - it works
my guess is that the plugin doesn't support [sso-session] yet
similar to this issue: https://github.com/aws/aws-toolkit-jetbrains/issues/3411
there is a pr related to this issue: https://github.com/aws/aws-toolkit-jetbrains/pull/3672
Tried both of the suggested tweaks here on my M2 (SSO within the profile definition and creating legacy versions) but Rider seems to just use the default profile regardless of my profile choice in the UI.
