sst icon indicating copy to clipboard operation
sst copied to clipboard

Published 20 hours ago verified publisher icon sst

AWS SSO support?

Open ssypi opened this issue 3 years ago • 7 comments

Is there any way to support using AWS SSO credentials instead of the normal aws access keys? I just tried the basic template app and got an error.

Edit: nvm I guess it's a CDK problem too, don't think it supports SSO either yet. Though there might be a way for SST to get temporary credentials and use them, but it might be out of scope and there are probably some scripts for that already.

─$ sst start                                                                                                                                       1 ↵

=======================
 Deploying debug stack
=======================

Deploying stacks
Error: connect EHOSTUNREACH 169.254.169.254:80
    at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1138:16) {
  message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1',
  errno: -113,
  code: 'CredentialsError',
  syscall: 'connect',
  address: '169.254.169.254',
  port: 80,
  time: 2021-04-15T18:45:45.161Z,
  originalError: {
    message: 'Could not load credentials from any providers',
    errno: -113,
    code: 'CredentialsError',
    syscall: 'connect',
    address: '169.254.169.254',
    port: 80,
    time: 2021-04-15T18:45:45.161Z,
    originalError: {
      message: 'EC2 Metadata roleName request returned error',
      errno: -113,
      code: 'EHOSTUNREACH',
      syscall: 'connect',
      address: '169.254.169.254',
      port: 80,
      time: 2021-04-15T18:45:45.161Z,
      originalError: [Object]
    }
  }
}

 ❌  dev-test-stack-debug-stack failed: CredentialsError: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1

ssypi avatar Apr 15 '21 18:04 ssypi

Hey @ssypi, with AWS SSO:

  • what's ur local AWS credential setup? ie. what does ur ~/.aws/credentials look like?
  • how do you configure AWS CLI to work with AWS SSO? Maybe we can do something similar there.

I know some ppl use aws-vault with SST to simplify the IAM user/role management. I'm not sure if that supports SSO.

fwang avatar Apr 15 '21 21:04 fwang

@fwang Hi, sorry for delay. SSO flow does not use ~/.aws/credentials file, so it does not exist at all after doing "aws sso login" with the CLI. The version 2 of the cli supports these SSO profiles. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

Here's a relevant issue from AWS SDK js v3 which has added support for SSO somewhat recently. There is also discussion about different workarounds. https://github.com/aws/aws-sdk-js-v3/issues/1158

ssypi avatar May 03 '21 07:05 ssypi

Thanks for the details @ssypi. Let me take a look at the doc and the discussion.

fwang avatar May 04 '21 05:05 fwang

Thanks again for looking into the issue @ssypi!

Yeah, CDK currently doesn't support SSO as it's using aws-sdk v2. It seems to be a highly requested feature for CDK, and there are a few workarounds I saw ppl are using in the thread - https://github.com/aws/aws-cdk/issues/5455

Let's keep an eye on the CDK issue for now.

fwang avatar May 05 '21 19:05 fwang

Leaving a note here that Kujtim got it working by following this - https://github.com/aws/aws-cdk/issues/5455#issuecomment-713643500

Slack thread

fwang avatar Sep 02 '21 20:09 fwang

i see that you closed the issue, but it still seems you guys do not support it, right?

rossirpaulo avatar Mar 22 '24 18:03 rossirpaulo

SSO is how we use SST internally https://docs.sst.dev/setting-up-aws#configure-sst

jayair avatar Mar 23 '24 00:03 jayair