-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Lack of support for sso-session in .aws/config #28263
Comments
Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
This is still happening in v4.46.0, which has the update (b3dcf93) to the aws-sdk-go-v2 version (v1.17.2) that has the upstream fix. |
Any updates on this? Weird, issues seems to be critical and fundamental. To mention a workaround: [profile]
aws_access_key_id = xxxxx
aws_secret_access_key = yyyyyyyyyyyy make sure that |
Or you can use the |
From what I can see in
New SSO enhancements were added in versions v1.18.0 and v1.13.0 correspondingly. |
You can work around this in two ways:
|
"set the sso_start_url in each profile" does't work for me
Still get: |
You need to both |
@boyadzhievb I also had to remove the documentation for "legacy" configuration here: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html#sso-configure-profile-manual |
NOthing helped:
|
I can confirm the following works as a temporary fix:
Working example: [profile prod]
sso_region = us-east-1
sso_start_url = https://URL.awsapps.com/start
sso_account_id = 999999999
sso_role_name = AWSAdministratorAccess
region = us-east-1
[profile stage]
sso_region = us-east-1
sso_start_url = https://URL.awsapps.com/start
sso_account_id =999999999
sso_role_name = AWSAdministratorAccess
region = us-east-1 |
What worked for me was this reddit post: https://www.reddit.com/r/aws/comments/zk456d/new_aws_cli_and_sso_sessions_profiles_and_legacy/ In short:
|
Not finding any success with any of the workarounds posted here. Are others still having an issue with this? I've found if I run a Anyone able to confirm/indicate if work is underway to solve? |
I was having the same problem, and including all information within the profile itself helped in my case as well. Why are Terraform and AWS provider not able to use the session information? Using an sso-session to provide the region and start_url is the recommended way to set up sso: Configuring the AWS CLI to use AWS IAM Identity Center (successor to AWS Single Sign-On) |
@tonyhhyip Out of curiosity: is there any exact PR we can refer to? I couldn't find anything relevant to AWS SSO in v4.54.0 release message 🤷🏻 |
@yermulnik It is fixed in bf5aed5, when the SDK version is upgraded to a version which support new format SSO. For supported version, please refers to #28263 (comment) |
As pointed out here #28263 (comment) the provider is now fixed after dependency updates #29302 Would be great if we could also update the backend accordingly |
For those that are finding when you get a reference to aws sso login I recommend to create multiple pairs of your profiles, one with the legacy non-refreshing token specifically for terraform, and use another for your normal operations. This will allow you to use the AWS CLI with the refreshing tokens and have the terraform backend explicitly select the legacy profile.
[profile primary]
region = <REGION>
output = json
sso_session = <SESSION_NAME>
sso_account_id = <ACCOUNT_ID>
sso_role_name = <ROLE_NAME>
# Required as terraform does not respect sso_session
[profile primary-legacy]
sso_start_url = https://<START_ID>.awsapps.com/start
sso_region = <REGION>
sso_account_id = <ACCOUNT_ID>
sso_role_name = <ROLE_NAME>
region = <REGION>
output = json
[sso-session <SESSION_NAME>]
sso_start_url = https://<START_ID>.awsapps.com/start
sso_region = <REGION>
sso_registration_scopes = sso:account:access In your backend, configure your profile to be the legacy above. profile = "primary-legacy" And have your aws env set to the refresher token: export AWS_PROFILE=primary |
I believe what @brettryan mentions will work as a workaround, but what is needed is the terraform-provider-aws to support refreshable authentication tokens and to refresh those tokens when they expire. |
How is this not resolved yet? Isn't the GO SDK supposed to handle this automatically? |
AWS SDK for Go v1 PR: aws/aws-sdk-go#4885. |
The support for |
For posterity, this probably got fixed by the bump in #32426. @kurtismash pls correct me if I'm wrong ;-) Any chance for this to end up in a release soon? |
I was hoping this ended up in release 5.8.0 but upgrading to that version of the aws provider still gives:
|
This still needs to make it into a Having new SSO support in the v1 SDK will make that easier, though. Keep an eye on hashicorp/terraform#32465 (there appears to be an open PR for this now) |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Terraform Core Version
1.3.6
AWS Provider Version
4.45.0
Affected Resource(s)
No response
Expected Behavior
Terraform should work as normal using AWS credentials as defined in
.aws/config
.Actual Behavior
Error: configuring Terraform AWS Provider: loading configuration: profile "profile" is configured to use SSO but is missing required configuration: sso_region, sso_start_url
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
.aws/config
Terraform
Steps to Reproduce
aws sso configure
or manually create.aws/config
to use an sso-session.terraform init
AWS_PROFILE=profile terraform plan
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
I believe this is an issue caused by the aws-sdk-go rather than this Terraform provider, however don't understand enough about go to know which version of the SDK is in use. aws/aws-sdk-go#4649 remains open whereas aws/aws-sdk-go-v2#1903 fixes this in the v2 SDK.
Would you like to implement a fix?
No
The text was updated successfully, but these errors were encountered: