cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon cloudgraphdev

Support AWS SSO authentication

Open J00MZ opened this issue 2 years ago • 2 comments

Description Support authentication with AWS SSO

To Reproduce Steps to reproduce the behavior:

  1. AWS credentials configured via aws sso configure
  2. Run command CG_DEBUG=5 cg scan aws
  3. Getting below error:
✔ accessKeyId: **************
✔ secretAccessKey: ******************************
⠏ SCANNING data for aws    InvalidClientTokenId: The security token included in the request is invalid.
    Code: InvalidClientTokenId

cg-debug.log

No valid credentials found for roleARN: arn:aws:sts::**********:assumed-role/****
AccessDenied: User: arn:aws:sts::**********:assumed-role/****
is not authorized to perform: sts:AssumeRole on resource: arn:aws:sts::**********:assumed-role/****
    at Request.extractError (/opt/homebrew/Cellar/cg/0.21.4/libexec/node_modules/aws-sdk/lib/protocol/query.js:50:29)
    at Request.callListeners (/opt/homebrew/Cellar/cg/0.21.4/libexec/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/opt/homebrew/Cellar/cg/0.21.4/libexec/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/opt/homebrew/Cellar/cg/0.21.4/libexec/node_modules/aws-sdk/lib/request.js:686:14)
    at Request.transition (/opt/homebrew/Cellar/cg/0.21.4/libexec/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/opt/homebrew/Cellar/cg/0.21.4/libexec/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /opt/homebrew/Cellar/cg/0.21.4/libexec/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/opt/homebrew/Cellar/cg/0.21.4/libexec/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/opt/homebrew/Cellar/cg/0.21.4/libexec/node_modules/aws-sdk/lib/request.js:688:12)
    at Request.callListeners (/opt/homebrew/Cellar/cg/0.21.4/libexec/node_modules/aws-sdk/lib/sequential_executor.js:116:18)

Expected behavior Login with SSO credentials succeeds

Environment

❯ cg --version
@cloudgraph/cli/0.21.4 darwin-x64 node-v16.0.0

J00MZ avatar May 22 '22 20:05 J00MZ

Hi @J00MZ thanks for sending this over! We currently do not support SSO based login for AWS but it is on our roadmap to implement soon. In the meantime, you should be able to run CG using AWS creds located in your profile. I will keep you updated on when we implement the SSO authentication flow.

tyler-dunkel avatar May 23 '22 14:05 tyler-dunkel

+1

jolo-dev avatar May 30 '22 07:05 jolo-dev

Any update on this?

jebotz avatar Sep 25 '22 16:09 jebotz

We have this on our backlog to implement. We should be able to get to it in October 🤞

tyler-dunkel avatar Sep 26 '22 17:09 tyler-dunkel

@J00MZ you can work around this issue if you use aws sso get-role-credentials and provide the access-token that gets stored in your .aws directory.

https://aws.amazon.com/premiumsupport/knowledge-center/sso-temporary-credentials/

VictorCovalski avatar Jan 04 '23 14:01 VictorCovalski

@J00MZ this is now supported natively with the aws provider version 0.84.0. Please try it out and let me know if you see any issues!

tyler-dunkel avatar Jan 24 '23 20:01 tyler-dunkel