helm-s3 icon indicating copy to clipboard operation
helm-s3 copied to clipboard

Published 20 hours ago verified publisher icon hypnoglow

cannot use with AWS SSO credentials

Open stevenolen opened this issue 3 years ago • 13 comments

It appears that v0.10.0 cannot be used with cli profiles that are aws sso-based.

➜  helm repo add my-charts s3://my-helm-charts/ --force-update
fetch from s3 uri=s3://lucid-helm-charts/index.yaml: fetch object from s3: NoCredentialProviders: no valid providers in chain. Deprecated.
	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
Error: looks like "s3://lucid-helm-charts/" is not a valid chart repository or cannot be reached: plugin "bin/helms3" exited with error

The underlying issue appears to be with the aws-sdk-go project only adding support for SSO-based credentials in 1.37.0, more details here.

It appears that the project has actually been upgraded to use aws-sdk-go > 1.37.0, but hasn't been released yet. Would it be possible to finish out the release that supports this dependency upgrade? The workarounds are brutal! 😄

Thanks!

stevenolen avatar Apr 12 '21 17:04 stevenolen

In the meantime you can install the dev version. Still better than the workarounds we proposed in #123

b4nst avatar Apr 13 '21 08:04 b4nst

ah ha! Apologies for missing #123 when I was inspecting for related issues!

I was able to get things working with the dev version, although I needed a slightly different set of steps:

helm plugin uninstall s3
HELM_S3_PLUGIN_NO_INSTALL_HOOK=true helm plugin install https://github.com/hypnoglow/helm-s3.git
cd /Users/<localuser>/Library/helm/plugins/helm-s3.git
make deps build-local
# at this point, I noticed this directory didn't have a `bin/` dir in it
# I looked in $GOPATH/src/github.com/hypnoglow/helm-s3/ and found it there
# (perhaps the hack/build.sh script doesn't work well with a real go env installed?)
# so I decided to just go back and symlink the plugin dir to this path
cd /Users/<localuser>/Library/helm/plugins/
rm -rf helm-s3.git
ln -sf $GOPATH/src/github.com/hypnoglow/helm-s3 helm-s3.git
# success!

Thanks for the pointer in the right direction, looking forward to a release here before we roll out SSO to the rest of my team!

stevenolen avatar Apr 13 '21 11:04 stevenolen

just started our kubernetes/helm journey and ran across this issue as well. are there plans for a release that corrects this issue?

MChaponis-OD avatar May 06 '21 19:05 MChaponis-OD

Is there any ETA for the next release?

mforutan avatar May 19 '21 05:05 mforutan

@hypnoglow is there any plan for a new release soon?

mforutan avatar May 19 '21 05:05 mforutan

i'm also waiting for this release.

brucex avatar Jun 10 '21 15:06 brucex

Looking forward to this release as well!

bilby91 avatar Jul 05 '21 14:07 bilby91

another vote for this one

samperman avatar Jul 27 '21 13:07 samperman

are there any future plans for releases for this project?

We just ran into this issue when integrating with helmfile, and would really appreciate a release with the patch mentioned above.

szelenka avatar Jul 27 '21 13:07 szelenka

For anyone else interested, I had to create a new downloader plugin for ourselves to cover the missing features in this plugin like this AWS SSO issue and AWS Region issue: https://github.com/mforutan/helm-s3-downloader

It depends on AWS CLI and only support bash but it is simple enough as a downloader only when you don't need any other features, and can be replicated for other environments. you should still use this plugin to maintain your repository though.

mforutan avatar Jul 28 '21 10:07 mforutan

ah ha! Apologies for missing #123 when I was inspecting for related issues!

I was able to get things working with the dev version, although I needed a slightly different set of steps:

helm plugin uninstall s3
HELM_S3_PLUGIN_NO_INSTALL_HOOK=true helm plugin install https://github.com/hypnoglow/helm-s3.git
cd /Users/<localuser>/Library/helm/plugins/helm-s3.git
make deps build-local
# at this point, I noticed this directory didn't have a `bin/` dir in it
# I looked in $GOPATH/src/github.com/hypnoglow/helm-s3/ and found it there
# (perhaps the hack/build.sh script doesn't work well with a real go env installed?)
# so I decided to just go back and symlink the plugin dir to this path
cd /Users/<localuser>/Library/helm/plugins/
rm -rf helm-s3.git
ln -sf $GOPATH/src/github.com/hypnoglow/helm-s3 helm-s3.git
# success!

Thanks for the pointer in the right direction, looking forward to a release here before we roll out SSO to the rest of my team!

I had to do this as well, minus the symlinking portion. there was a bin directory in my local compiled version.

For me, the steps were:

helm plugin uninstall s3
HELM_S3_PLUGIN_NO_INSTALL_HOOK=true helm plugin install https://github.com/hypnoglow/helm-s3.git
cd ~/Library/helm/plugins/helm-s3.git
make deps build-local

I had to update go to 1.15 or higher, that was the only other sticking point for me.

jforest avatar Aug 26 '21 15:08 jforest

ah ha! Apologies for missing #123 when I was inspecting for related issues!

I was able to get things working with the dev version, although I needed a slightly different set of steps:

helm plugin uninstall s3
HELM_S3_PLUGIN_NO_INSTALL_HOOK=true helm plugin install https://github.com/hypnoglow/helm-s3.git
cd /Users/<localuser>/Library/helm/plugins/helm-s3.git
make deps build-local
# at this point, I noticed this directory didn't have a `bin/` dir in it
# I looked in $GOPATH/src/github.com/hypnoglow/helm-s3/ and found it there
# (perhaps the hack/build.sh script doesn't work well with a real go env installed?)
# so I decided to just go back and symlink the plugin dir to this path
cd /Users/<localuser>/Library/helm/plugins/
rm -rf helm-s3.git
ln -sf $GOPATH/src/github.com/hypnoglow/helm-s3 helm-s3.git
# success!

Thanks for the pointer in the right direction, looking forward to a release here before we roll out SSO to the rest of my team!

Under Ubuntu I needed to follow the same procedure with different paths.

/Users/<localuser>/Library/helm/plugins/helm-s3.git

becomes

~/.local/share/helm/plugins/helm-s3.git

chronicc avatar Sep 08 '21 11:09 chronicc

workaround for now:

aws-vault exec <aws-profile-name> -- helm repo add <repo-name> s3://bucket-name

cheddarwhizzy avatar Oct 04 '21 20:10 cheddarwhizzy

Is this still an issue? I'm having it and I'm using SSO configurations inside .aws folder.

davidmir avatar Nov 07 '22 11:11 davidmir

Not working for with SSO configured:

helm repo add forrHelmRepoTest s3://namechanged/charts     
                                      
Error: fetch from s3 url=s3://namechanged/charts/index.yaml: fetch object from s3: SSOProviderInvalidToken: the SSO session has expired or is invalid
caused by: open /Users/adityapednekar/.aws/sso/cache/03ae69f85a285e04949ac812c8499c653e37d339.json: no such file or directory
Error: looks like "s3://namechanged/charts" is not a valid chart repository or cannot be reached: plugin "bin/helm-s3 download" exited with error

Was able to get the same command working using the aws-vault workaround specified by @cheddarwhizzy (thanks).

adiospeds avatar Mar 29 '23 15:03 adiospeds

Using AWS SSO's "command line" button to quickly get export commands for env vars, the env vars work. That's the workaround I'm using. Surprised to see such an old issue not resolved yet though. We changed to AWS SSO and are considering moving off s3 for charts now.

JohnAtOlo avatar May 31 '23 19:05 JohnAtOlo

Thanks for reporting!

https://github.com/hypnoglow/helm-s3/pull/274 will fix the issue, I've tested it on my AWS account with SSO.

hypnoglow avatar Sep 13 '23 22:09 hypnoglow