synfinatic
`aws-sso list` and `aws-sso config-profile` hang forever
Output of aws-sso version:
AWS SSO CLI Version 1.17.0 -- Copyright 2021-2024 Aaron Turner
Homebrew (1.17.0) built at 2024-07-10T21:26:18Z
Describe the bug: aws-sso config-profiles aws-sso list
Hang forever.
To Reproduce:
aws-sso list -L traceoraws-sso config-profile -L trace
Note: You do not need to redact AWS AccountIDs from outputs or config. Per Amazon, "While account IDs, like any identifying information, should be used and shared carefully, they are not considered secret, sensitive, or confidential information."
Expected behavior: Either list of accounts or editing of my ~/.aws/config
Screenshots:
Desktop (please complete the following information):
- OS: Ubuntu
- Version: 24.04
Additional context:
INFO open /home/david/.config/aws-sso/cache.json: no such file or directory
WARNING The specified item could not be found in the keyring
DEBUG loading SSO using 10 retries and max 5sec backoff
TRACE Authenticate(printurl, )
DEBUG no CreateTokenResponse for token-response:customer1
TRACE reauthenticate() for Default
TRACE registerClient()
TRACE Checking cache for RegisterClientData
TRACE Registering new client with AWS SSO
I presume it should print a URL for me to use to setup my token.
Contents of ~/.aws-sso/config.yaml:
SSOConfig:
customer1:
SSORegion: eu-central-1
StartUrl: https://customer1.awsapps.com/start
AuthUrlAction: print
customer2:
SSORegion: eu-central-1
StartUrl: https://customer2.awsapps.com/start
AuthUrlAction: print
customer3:
SSORegion: eu-central-2
StartUrl: https://customer3.awsapps.com/start
AuthUrlAction: print
DefaultSSO: customer1
DefaultRegion: en-central-1
ConsoleDuration: 720
CacheRefresh: 168
Threads: 5
MaxBackoff: 5
MaxRetry: 10
AutoConfigCheck: true
UrlAction: print
ConfigProfilesUrlAction: open
LogLevel: error
HistoryLimit: 10
HistoryMinutes: 1440
ProfileFormat: "{{ FirstItem .AccountName (.AccountAlias | nospace) }}:{{ .RoleName }}"
AccountPrimaryTag:
- AccountName
- AccountAlias
- Email
PromptColors:
descriptionbgcolor: Turquoise
descriptiontextcolor: Black
inputbgcolor: DefaultColor
inputtextcolor: DefaultColor
prefixbackgroundcolor: DefaultColor
prefixtextcolor: Blue
previewsuggestionbgcolor: DefaultColor
previewsuggestiontextcolor: Green
scrollbarbgcolor: Cyan
scrollbarthumbcolor: LightGrey
selecteddescriptionbgcolor: DarkGray
selecteddescriptiontextcolor: White
selectedsuggestionbgcolor: DarkGray
selectedsuggestiontextcolor: White
suggestionbgcolor: Cyan
suggestiontextcolor: White
ListFields:
- AccountIdPad
- AccountAlias
- RoleName
- Profile
- Expires
FullTextSearch: true
Mind trying the latest v2.0 beta available in the downloads section here on github?
Thank you. Sure thing. Looks like same result, unfortunately. It has been on that output for 35 minutes now.
> aws-sso version
AWS SSO CLI Version 2.0.0-beta4 -- Copyright 2021-2024 Aaron Turner
1031acd4a28533e7b662d2387579786c71f04ae4 (v2.0.0-beta4) built at 2024-09-30T02:15:15+0000
> aws-sso setup profiles -L trace
INFO unable to open cache file error="open /home/david/.config/aws-sso/cache.json: no such file or directory"
WARN unable to load keyring data error="The specified item could not be found in the keyring"
DEBUG loading SSO retries=10 maxBackoff=5
DEBUG refreshing SSO cache SSOname=customer1
ERROR AccessToken Unauthorized Error; refreshing error="operation error SSO: ListAccounts, https response error StatusCode: 401, RequestID: 6a90ef65-1a51-4ef0-ae80-256576257dcb, UnauthorizedException: Session token not found or invalid"
TRACE reauthenticate() storeKey=customer1
TRACE registerClient()
TRACE Checking cache for RegisterClientData
TRACE Registering new client with AWS SSO
It feels like it is trying to launch a browser 🤷🏻♂️, rather than print the URL. I am running on this on a remote desktop over SSH, if that matters.
Nope, not trying to launch a browser yet. My guess is your system can't talk to the AWS Identity Center OIDC endpoint when it makes the RegisterClient API call.
Made you a custom binary with additional trace log information which should help: aws-sso-2.0.0-beta5-linux-amd64.zip
That said, I do see somewhat strange log and assuming the above binary hangs at:
TRACE Registering new client with AWS SSO ClientName=aws-sso-cli ClientType=public
Please add the line to your config.yaml:
SecureStore: file
And try again. FWIW, it should only take a second or so to complete the API call and print the next line.
Thanks for this. I'll try now.
Just a bit of background. My firewall doesn't block any outbound ports. This desktop is my work computer. Used 99.9% used over SSH (mini computer, always on, low power). It is my hub for Terraform, Git and AWSCLI. I have been copying and pasting the env vars from the SSO page to access each customer's accounts, but in looking for a smarter system, perplexity.ai sent me to this project.
Thanks so much for your time.
> ./aws-sso-2.0.0-beta5-linux-amd64 setup profiles -L trace
INFO unable to open cache file error="open /home/david/.config/aws-sso/cache.json: no such file or directory"
WARN unable to load keyring data error="The specified item could not be found in the keyring"
DEBUG loading SSO retries=10 maxBackoff=5
DEBUG refreshing SSO cache SSOname=customer1
ERROR AccessToken Unauthorized Error; refreshing error="operation error SSO: ListAccounts, https response error StatusCode: 401, RequestID: 0bfbcbe6-4cef-4d85-9002-00f1487cfed8, UnauthorizedException: Session token not found or invalid"
TRACE reauthenticate() storeKey=customer1
TRACE registerClient()
TRACE Checking cache for RegisterClientData storeKey=customer1
TRACE Registering new client with AWS SSO ClientName=aws-sso-cli ClientType=public
TRACE Registered new client with AWS SSO ClientId=ds6jQDXE5qspNsYFADlXwWV1LWNlbnRyYWwtMQ ClientSecretExpiresAt=1737250750
^C
> echo 'SecureStore: file' >> ~/.config/aws-sso/config.yaml
> ./aws-sso-2.0.0-beta5-linux-amd64 setup profiles -L trace
INFO unable to open cache file error="open /home/david/.config/aws-sso/cache.json: no such file or directory"
Select password:
Verify password:
WARN unable to load keyring data error="The specified item could not be found in the keyring"
DEBUG loading SSO retries=10 maxBackoff=5
DEBUG refreshing SSO cache SSOname=customer1
ERROR AccessToken Unauthorized Error; refreshing error="operation error SSO: ListAccounts, https response error StatusCode: 401, RequestID: e59a3c2f-17da-4831-a352-d3691bb63e8f, UnauthorizedException: Session token not found or invalid"
TRACE reauthenticate() storeKey=customer1
TRACE registerClient()
TRACE Checking cache for RegisterClientData storeKey=customer1
TRACE Registering new client with AWS SSO ClientName=aws-sso-cli ClientType=public
TRACE Registered new client with AWS SSO ClientId=[REDACTED] ClientSecretExpiresAt=1737250769
TRACE <- reauthenticate()
TRACE startDeviceAuthorization() storeKey=customer1
DEBUG Created OIDC device code storeKey=customer1 expires=600
Verify this code in your browser: [REDACTED]
TRACE <- reauthenticate()
TRACE getDeviceAuthInfo()
TRACE <- reauthenticate()
Please open the following URL in your browser:
https://device.sso.eu-central-1.amazonaws.com/?user_code=[REDACTED]
INFO Waiting for SSO authentication...
TRACE createToken()
Oh!! Was SecureStore: file something I missed in the docs?
It was. Sorry! I did find "getting started quickly" a little harder than expected.
SecureStore supports the following backends:
file - Encrypted local files (OS agnostic and default on Linux)
It does have a sane default though. Odd I needed to set that to file get progress 🤔
Just checked with v1.17.0 and we have success there too. The issue was needing to set SecureStore: file even though that it the default.
WARNING The specified item could not be found in the keyring
It must have been trying to use a keyring of some sort 🤷🏻♂️
Well, this is definitely a bug. Just to confirm, this is a native Ubuntu box and not running under Windows WSL?
A bit of a relief that it wasn't an oversight by me that wasted your time 😃 Thanks for your fast responses.
Correct.
> uname -a
Linux kogan02 6.8.0-41-generic #41-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug 2 20:41:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
> lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04.1 LTS
Release: 24.04
Codename: noble
> cat /etc/debian_version
trixie/sid
Sadly, I can not replicate this issue at all. Even updated my Ubuntu system to 24.04.1 in an attempt to replicate. I'm using a very basic config:
SSOConfig:
Default:
SSORegion: us-east-2
StartUrl: https://synfinatic.awsapps.com/start
ConsoleDuration: 720
CacheRefresh: 168
UrlAction: print
LogLevel: error
HistoryLimit: 10
HistoryMinutes: 1440
ProfileFormat: "{{ FirstItem .AccountName (.AccountAlias | nospace) }}:{{ .RoleName }}"
FullTextSearch: true
The most likely answer is something weird with your system and KeyRing, but without more info/ability to reproduce I'd only be randomly guessing. If you're still interested in debugging further, LMK, otherwise I'm going to close this.
Thanks @synfinatic
I saw this update and have added a re-test on my end to my to-do list. Haven't completed that yet. Should be able to later this week.
Thanks!
This issue is stale because it has been open for 14 days with no response from the reporter. It will be automatically closed in 14 days from this message.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue was closed because it has been inactive for 28 days.
Ahh ok. I had a look at this and what I ended up finding out was there were GUI dialogues waiting for user input on the computer I was using. I was using it over ssh but it had a GUI session logged in (gym computer to watch videos while working out) and so aws-sso openned up some GUI dialogues I was never aware of.
that would explain it. On remote systems I suggest using print or printurl: https://synfinatic.github.io/aws-sso-cli/latest/config/#authurlaction-browser-urlaction-urlexeccommand
Depending on your use case and how fancy, ECS Server mode may also be useful (tbh, it was intended more for bastion host needs) https://synfinatic.github.io/aws-sso-cli/latest/ecs-server/