-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improving docs to support configuration questions #97
Comments
Update since I was running this during a us-east-1 outage 😓
How does all that sound? Any red flags in my setup? If not, there are some areas I'd like to update in the docs :) |
Ok, let's see. Trying to do this after a long day at re:Inforce, so let me know if any of this makes sense. A "profile" is a set of configuration values for the CLI and SDKs, including credentials OR how to get credentials. The values are taken from The old style of profile configuration puts all four of these in each profile, and that's what Now, generally The docs detail how that search is performed, for example here: https://github.com/benkehoe/aws-sso-util/blob/master/docs/login.md#identity-center-instances So once you have something it can find (or provide it directly on the command line), it'll do its thing. You can do As I said, Now, when you're using the CLI or SDK, it has a search mechanism for finding credentials. That is documented here, but the point is it looks in lots of places. For this, we care about telling it to use one of the profiles we've configured. That can be done with the CLI with the When the CLI or SDK is given a profile name, it looks up the config for that profile, which (hopefully) tells it how to get credentials (or provides static creds in Now, as an aside, you can have a special profile named So overall I would recommend set up that looks something like this:
|
Yes please! Not that the current config doesn't work well (you basically helped eliminate a lot of gruntwork in "please write out these 40 profiles" for users, so thank you!), but the "new" way is a bit more elegant. Also, is it necessary to have credential_process here? This feels like somewhat of a tautology if one is using something like |
Glad I found this. The readme didn't suggest this command and it seems to have a problem for me. Maybe somebody can be kind enough to assist with making it work, however... I have 150 accounts and I attempted to run this using a clean (Ephemeral) Google cloud shell This command will let you edit the config file if needed
Shell results with personal info removed: jason@cloudshell:~$ pipx install aws-sso-util jason@cloudshell:~$ aws-sso-util configure populate https://device.sso.eu-west-1.amazonaws.com/ Then enter the code: WZMD-KMFD https://device.sso.eu-west-1.amazonaws.com/?user_code=WZMD-KMFD The problem seems to be related to https://github.com/benkehoe/aws-sso-util/blob/master/cli/src/aws_sso_util/populate_profiles.py Cloudshell can be connected to your local environment dev tools like this: https://cloud.google.com/shell/docs/using-cloud-shell-with-gcloud-cli Otherwise we can edit the python code in place by executing:
I'll come back to this if I can help further. |
@jwdinkel , try setting environment variables to make the SDK keep trying. Same error reported here: OP confirmed the solution was to set these before running export AWS_RETRY_MODE=standard
export AWS_MAX_ATTEMPTS=100 Just out of interest, if you can tell me, how many profiles do you expect to generate? As you point out the error seems to be more likely in bigger AWS estates. |
First timer with SSO here 👋🏽 After following this guide on configuring SSO, and then taking Ben's advice for setting up CLI access, I have the following simple questions and I'd be happy to PR the docs so that it can help others. Personally, I think some of my stumbling blocks stem from having to switch my mental model from thinking in accounts to thinking in roles/SSO.
A few of the questions are based off of this code snippet in the readme:
aws-sso-util configure profile [my-profile]
I get "No Identity Center instance found". If I update the config above and set thesso_account_id
to one of my org accounts, then I get acredential_process
key added. How do I get the CLI to prompt me to enter in values?aws-sso-util login
. Is this needed to provide temporary credentials--thus removing the need for an~/.aws/credentials
file?aws s3 ls
yields an "Unable to locate credentials. You can configure credentials by running "aws configure" error. Passing in the profile with--profile
gave me returned "An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access" (this user has the the powerUser role applied).Again, happy to update the docs to provide guidance for others as well!
The text was updated successfully, but these errors were encountered: