-
-
Notifications
You must be signed in to change notification settings - Fork 998
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Terragrunt does not support AWS SSO with automatic token refresh #2442
Comments
hi, Additionally, can be attempted to use aws-valut to provide all required profile settings, but this approach will work only with one profile for entire execution |
|
Any info on this?
and when i try to run terragrunt plan I get
|
I'm facing the same issue running terragrunt version v0.38.4, however I quickly discovered that manually updating ~/.aws/config to use the legacy format will work as expected. Personally I always manually updated ~/.aws/config anyway, as opposed to using the aws configure sso wizard. That said we need to see this solved...
|
I've used the latest 0.45.2(at the time of writing this) in an ARM64 Macbook and got the same error, but I got it running after cloning the repository and I hope this helps someone $ terragrunt init
Initializing the backend...
Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing modules...
- private_subnets in modules/aws-private-subnets
- public_subnets in modules/aws-public-subnets
Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Installing hashicorp/aws v4.62.0...
- Installed hashicorp/aws v4.62.0 (signed by HashiCorp)
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary. |
Does somebody know, if Terragrunt or Terraform is doing the sso stuff? Because there are similar issues in the AWS provider repository and the Terraform repository. Maybe it will be solved automatically, when both are closed. Pretty shitty situation because a lot of stuff is broken since the sso configuration change. |
Terragrunt is a wrapper over terraform so there is a chance that this will be solved when that issues will be fixed |
I'm getting a similar error as @lkoniecz and I seems to be a terragrunt issue, it works just fine with terraform. Also, the terragrunt seems to require two (duplicated) parameters, the When I try to run (
So, what I did was to run the AWS CLI commands to (re)configure the local stuff aws configure sso --profile <my_profile> --region eu-west-1
aws sso login --profile <my_profile> --region eu-west-1 --sso-session <my_sso_session> Then I checked which files I had under the ln -s /home/<my_user>/.aws/sso/cache/<hash002>.json /home/<my_user>/.aws/sso/cache/<hash001>.json Then I tried to rerun terragrunt and got a different error which points to a third file (
So, to so this I create another symbolic link from ln -s /home/<my_user>/.aws/sso/cache/<hash002>.json /home/<my_user>/.aws/sso/cache/<hash003>.json Now everything works just fine, but I'm not sure if these This is what I've under my
|
The same issue is mentioned in But as discussed in those issues, there is a workaround. Step by step to make it work (I will use as session name: my-session and as profile name: my-profile):
The above command adds the following sections to
Let's check SSO in
Then try to check SSO in
get:
don't worry, we're not done yet 🙂
Add
Let's try to check SSO in
get:
Finally it works 🎉 . If SSO works in |
@levkoburburas will terraform/terragrunt automatically refresh the authentication tokens when they expire? For reference: https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html |
@jsimoni if you mean |
This should be reopened. The issue in terraform is now fixed in For me that means there is a problem in the terragrunt auth mechanism with AWS in the bit of code that makes sure the backend resources are created.
The workaround still works by moving |
Still an issue with
But when I drop into the cache directory, all works fine with
At first I thought it might be the outdated winget terragrunt package,
I now suspect it's something inside of terragrunt/aws_helper/config.go Lines 78 to 83 in b8cf75f
Removing my |
Please see my message.... The issue is still in terragrunt with the automatic creation of backend S3 store and DynamoDB lock table. |
Hi @lebenitza, Ah you are right, |
That issue was closed 14 hours ago and its focus was in no way SSO syntax support, which was a problem hidden by the fact terraform did not support it until 1.6.0 either, making everyone believe there is nothing else to do in terragrunt code for that specific area. Than you @levkohimins . Let me know if I can help futher. |
Resolved in v0.53.1 release. |
Just want to note it's working for me. |
My pleasure, @WesselAtWork |
Is this fully fixed for DRY args? The following does not work:
The following does work:
This seems like a bug. |
~/.aws/config
Remote state config
The text was updated successfully, but these errors were encountered: