awsume icon indicating copy to clipboard operation
awsume copied to clipboard

Published 20 hours ago verified publisher icon trek10inc

AWSCLIv2 SSO Profiles don't apprear to work with awsume

Open smacintyre opened this issue 5 years ago • 13 comments

Old v1 IAM profiles stored in ~/.aws/credentials work fine. However, while the v2 SSO profiles show up in the list command, when I try to run awsume on a v2 SSO profile, I get the following error:

❯ awsume -l
Listing...

========================AWS Profiles========================
PROFILE      TYPE  SOURCE  MFA?  REGION          ACCOUNT
default      User  None    No    ap-southeast-1  Unavailable
devops       User  None    No    ap-southeast-1  Unavailable
self         User  None    No    ap-southeast-1  Unavailable
[...]

❯ aws sso login --profile self
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.ap-southeast-1.amazonaws.com/

Then enter the code:

REDACTED
Successully logged into Start URL: https://REDACTED.awsapps.com/start

❯ awsume self
Awsume error: Invalid profile [self] Missing keys aws_access_key_id, aws_secret_access_key, or credential_source

Here is my ~/.aws/config file:

[profile self]
sso_start_url = https://REDACTED.awsapps.com/start
sso_region = ap-southeast-1
sso_account_id = REDACTED
sso_role_name = PowerUserAccess

region = ap-southeast-1
output = yaml

Am I doing something wrong, or are CLIv2 profiles not supported? Thank you!

smacintyre avatar May 16 '20 11:05 smacintyre

AWS SSO profile are not yet supported, but we are investigating the best way to add support

mbarneyjr avatar Jun 08 '20 13:06 mbarneyjr

AWS SSO profiles are indirectly supported through the recent support for the credential_process property on profiles. If you utilize this tool, awsume will be able to pull the credentials from that credential_process. We are still looking into implementing this natively though.

Support for the credential_process property can be found in pre release 4.5.0a1. I'll release that to 4.5.0 once I'm confident that this and a few other fixes implemented aren't broken. If you experience any issues with the pre release please update this issue or open a new one, thanks!

mbarneyjr avatar Aug 21 '20 02:08 mbarneyjr

@mbarneyjr thank you for adding support for this, this has really helped us :) and it has been working great with the 4.5.0a4 version. Do you know when a new release will be available? This would make it easier to roll out the new version when it is available in brew directly.

smelchior avatar Oct 19 '20 08:10 smelchior

4.5.0 has been released, sorry for the delay!

We're still deciding between supporting AWS SSO natively or recommending the use of that tool described above to work with awsume for AWS SSO support, so for the time being I'll leave this issue open

mbarneyjr avatar Nov 20 '20 13:11 mbarneyjr

In case like this one or other similar cases where AWS SSO result in incompatibilities with your library and you don't want to play with workarounds or complicated fixes, maybe you can give a try to our open-source project: https://github.com/Noovolari/leapp. It deals with AWS SSO authentication and accounts/roles retrieval then it creates short-lived temporary credentials in .aws/credentials to maximize compatibility with third party tools / sdks.

urz9999 avatar Jan 14 '21 10:01 urz9999

Hi @mbarneyjr,

We developed an internal python script to do what awsume does, but for AWS SSO Profiles.

What we basically do is to run the following with an existing SSO profile, and append it to a credentials file we add later to the env, like awsume does:

new_sso_role_creds = subprocess.run(
    [
        "aws",
        "sso",
        "get-role-credentials",
        "--profile",
        profile_name,
        "--role-name",
        sso_role_name,
        "--account-id",
        sso_account_id,
        "--access-token",
        sso_access_token,
        "--region",
        sso_region,
    ],
    stderr=subprocess.PIPE,
    stdout=subprocess.PIPE,
)

How hard is to implement something in the existing awsume codebase or a plugin?

I find the idea of using another tool for that not so nice, and would be willing to implement this.

Thanks!

eduardohki avatar Apr 15 '21 08:04 eduardohki

Any updates on this?

tairosonloa avatar Aug 09 '22 11:08 tairosonloa

Any update on this?

tchiaspko avatar Dec 16 '22 19:12 tchiaspko

updates?

francosalcedo avatar Feb 22 '23 01:02 francosalcedo

it works for me after adding this line to each profile credential_process = aws-sso-credential-process --profile sso-profile-name

You can get aws-sso-credential-process from https://github.com/benkehoe/aws-sso-credential-process

tchiaspko avatar Feb 22 '23 01:02 tchiaspko

@francosalcedo @tchiaspko I have eventually moved on from awsume into https://granted.dev/ - which is a much more better solution at this point.

eduardohki avatar Feb 22 '23 08:02 eduardohki

Just to add my 2c, we have been using aws-sso-util (https://pypi.org/project/aws-sso-util/) together with awsume quite successfully. It works well both programmatically and from the command line.

aws-sso-util has many utilities to auto populate your profiles, etc.

mgmarino avatar Feb 22 '23 08:02 mgmarino

note: this issue should be considered as a feature request for native support of SSO, as opposed to indirect support via credential_process property mentioned above by mbarneyjr.

mtskillman avatar Sep 05 '23 21:09 mtskillman