Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Lack of support for sso-session in .aws/config #28263

Closed
kurtismash opened this issue Dec 8, 2022 · 28 comments
Closed

[Bug]: Lack of support for sso-session in .aws/config #28263

kurtismash opened this issue Dec 8, 2022 · 28 comments
Assignees
Labels
authentication Pertains to authentication; to the provider itself of otherwise. bug Addresses a defect in current functionality. provider Pertains to the provider itself, rather than any interaction with AWS. service/s3 Issues and PRs that pertain to the s3 service.

Comments

@kurtismash
Copy link

kurtismash commented Dec 8, 2022

Terraform Core Version

1.3.6

AWS Provider Version

4.45.0

Affected Resource(s)

No response

Expected Behavior

Terraform should work as normal using AWS credentials as defined in .aws/config.

Actual Behavior

Error: configuring Terraform AWS Provider: loading configuration: profile "profile" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

.aws/config

[profile profile]
sso_session = xxx
sso_account_id = xxx
sso_role_name = AdministratorAccess
region = eu-west-1

[sso-session session]
sso_start_url = https://xxx.awsapps.com/start
sso_region = eu-west-1
sso_registration_scopes = sso:account:access

Terraform

provider "aws" {
  region = "eu-west-1"
}

resource "aws_s3_bucket" "b" {
}

Steps to Reproduce

  1. Configure awscli using aws sso configure or manually create .aws/config to use an sso-session.
  2. terraform init
  3. AWS_PROFILE=profile terraform plan

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

I believe this is an issue caused by the aws-sdk-go rather than this Terraform provider, however don't understand enough about go to know which version of the SDK is in use. aws/aws-sdk-go#4649 remains open whereas aws/aws-sdk-go-v2#1903 fixes this in the v2 SDK.

Would you like to implement a fix?

No

@kurtismash kurtismash added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels Dec 8, 2022
@github-actions
Copy link

github-actions bot commented Dec 8, 2022

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the service/s3 Issues and PRs that pertain to the s3 service. label Dec 8, 2022
@DavidS-ovm
Copy link

This is still happening in v4.46.0, which has the update (b3dcf93) to the aws-sdk-go-v2 version (v1.17.2) that has the upstream fix.

@id-tari
Copy link

id-tari commented Dec 22, 2022

Any updates on this?
Still not working with v4.48

Weird, issues seems to be critical and fundamental.
Can't execute any terraform actions on my newly configured accounts that are managed by new AWS Identity Center

To mention a workaround:
You do not need to add: sso_region, sso_start_url
You just have to create a IAM User with appropriate permissions and programmatic access and add these credentials to .aws/credentials

[profile]
aws_access_key_id = xxxxx
aws_secret_access_key = yyyyyyyyyyyy

make sure that profile name matches in the both .aws/credentials and .aws/config.
Provider will work

@selfisch
Copy link

Any updates on this? Still not working with v4.48

Weird, issues seems to be critical and fundamental. Can't execute any terraform actions on my newly configured accounts that are managed by new AWS Identity Center

To mention a workaround: You do not need to add: sso_region, sso_start_url You just have to create a IAM User with appropriate permissions and programmatic access and add these credentials to .aws/credentials

[profile]
aws_access_key_id = xxxxx
aws_secret_access_key = yyyyyyyyyyyy

make sure that profile name matches in the both .aws/credentials and .aws/config. Provider will work

Or you can use the Command line or programmatic access from your role and copy that content to the credentials file. You can barely change the profile name to your needs and can use it as long, as the session is valid.
But this is all only a workaround, especially with an eye on the session getting invalid after the configured amount of time and one have to copy the temp credentials over again :-).

@e1senh0rn
Copy link

From what I can see in go.mod file, specified versions of affected dependencies do not contain SSO enhancements:

	github.com/aws/aws-sdk-go-v2/config v1.15.4 // indirect
	github.com/aws/aws-sdk-go-v2/credentials v1.12.0 // indirect

New SSO enhancements were added in versions v1.18.0 and v1.13.0 correspondingly.

@jaxxstorm
Copy link

You can work around this in two ways:

  • set the sso_start_url in each profile
  • grab temporary credentials from the profile using aws-sso-creds

@boyadzhievb
Copy link

boyadzhievb commented Jan 5, 2023

"set the sso_start_url in each profile" does't work for me

[profile Dev-715xxxxxxxxxxx2]
sso_session = bo-05-01-2023-1
sso_account_id = 715xxxxxxxxxxx2
sso_role_name = Dev
region = eu-west-2
output = json
sso_start_url = https://xxx.awsapps.com/start

[sso-session bo-05-01-2023-1]
sso_start_url = https://xxx.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access

Still get:
% terraform plan

│ Error: configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.

@tonyhhyip
Copy link

You need to both sso_start_url and sso_region for your profile.
And then run aws sso login --profile <profile name>

@jnimety
Copy link

jnimety commented Jan 5, 2023

@boyadzhievb I also had to remove the sso_session key/value from my profile.

documentation for "legacy" configuration here: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html#sso-configure-profile-manual

@boyadzhievb
Copy link

NOthing helped:

first-resource % cat  ~/.aws/config
[profile DevOps-71xxxxxxxxx82]
sso_account_id = 71xxxxxxxx682
sso_role_name = DevOps
region = eu-west-2
output = json
sso_start_url = https://xxxxx.awsapps.com/start
sso_region = us-east-1

[sso-session bozhan-05-01-2023-1]
sso_start_url = https://xxxx.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
 first-resource % aws sso login --profile DevOps-715xxxxxxxx82
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

FJHJ-FMHH
Successfully logged into Start URL: https://xxx.awsapps.com/start
 first-resource % terraform plan
╷
│ Error: configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│
│ Please see https://registry.terraform.io/providers/hashicorp/aws

@michidk
Copy link

michidk commented Jan 11, 2023

I can confirm the following works as a temporary fix:

  • remove the [sso-session ...] section
  • remove the sso_session parameter from the profile
  • add the sso_start_url and sso_region
  • add the region parameter if not already there

Working example:

[profile prod]
sso_region = us-east-1
sso_start_url = https://URL.awsapps.com/start
sso_account_id = 999999999
sso_role_name = AWSAdministratorAccess
region = us-east-1

[profile stage]
sso_region = us-east-1
sso_start_url = https://URL.awsapps.com/start
sso_account_id =999999999
sso_role_name = AWSAdministratorAccess
region = us-east-1

@pnjihia
Copy link

pnjihia commented Jan 19, 2023

What worked for me was this reddit post: https://www.reddit.com/r/aws/comments/zk456d/new_aws_cli_and_sso_sessions_profiles_and_legacy/

In short:

  1. In your .aws/config file, delete the sso-session section (or sections if you had multiple)
  2. Delete the sso-session reference under the profile section
  3. Reconfigure sso: aws configure sso --profile <profile-name> # I usually go for default
  4. Here's the fix: Although recommended, do not give sso session name, leave it blank
  5. Finish the rest of the config, and terraform should start working

@justinretzolk justinretzolk added provider Pertains to the provider itself, rather than any interaction with AWS. authentication Pertains to authentication; to the provider itself of otherwise. and removed needs-triage Waiting for first response or review from a maintainer. labels Jan 23, 2023
@larryebaum
Copy link

Not finding any success with any of the workarounds posted here. Are others still having an issue with this? I've found if I run a aws cli command that references my profile, temp credentials will write to .aws/cli/cache/<file>.json that I could write to ENV_VARS to get operational, but its kludgy and multiplied by a volume of users, isn't great.

Anyone able to confirm/indicate if work is underway to solve?

@jparta
Copy link

jparta commented Jan 27, 2023

I was having the same problem, and including all information within the profile itself helped in my case as well.

Why are Terraform and AWS provider not able to use the session information? Using an sso-session to provide the region and start_url is the recommended way to set up sso: Configuring the AWS CLI to use AWS IAM Identity Center (successor to AWS Single Sign-On)

@selfisch
Copy link

Hey,
yeah with the solution @michidk suggested here, you can configure the awscli profiles the legacy way. Thats working so far, also with the aws provider. But who knows how long until sso-sessions will be enforced and the legacy way will be deprecated :-)

@tonyhhyip
Copy link

It is fixed at v4.54.0. However, if you use s3 backend, the legacy configuration is still required, the issue on Terraform is still open

@yermulnik
Copy link

It is fixed at v4.54.0

@tonyhhyip Out of curiosity: is there any exact PR we can refer to? I couldn't find anything relevant to AWS SSO in v4.54.0 release message 🤷🏻

@tonyhhyip
Copy link

@yermulnik It is fixed in bf5aed5, when the SDK version is upgraded to a version which support new format SSO. For supported version, please refers to #28263 (comment)

@patrickmarques-plutoflume

As pointed out here #28263 (comment) the provider is now fixed after dependency updates #29302

Would be great if we could also update the backend accordingly

@brettryan
Copy link

brettryan commented Apr 15, 2023

For those that are finding when you get a reference to $HOME/.aws/sso/cache/<id>.json not found, you must perform an AWS SSO login first.

aws sso login

I recommend to create multiple pairs of your profiles, one with the legacy non-refreshing token specifically for terraform, and use another for your normal operations. This will allow you to use the AWS CLI with the refreshing tokens and have the terraform backend explicitly select the legacy profile.

~/.aws/config

[profile primary]
region = <REGION>
output = json
sso_session = <SESSION_NAME>
sso_account_id = <ACCOUNT_ID>
sso_role_name = <ROLE_NAME>

# Required as terraform does not respect sso_session
[profile primary-legacy]
sso_start_url = https://<START_ID>.awsapps.com/start
sso_region = <REGION>
sso_account_id = <ACCOUNT_ID>
sso_role_name = <ROLE_NAME>
region = <REGION>
output = json

[sso-session <SESSION_NAME>]
sso_start_url = https://<START_ID>.awsapps.com/start
sso_region = <REGION>
sso_registration_scopes = sso:account:access

In your backend, configure your profile to be the legacy above.

profile = "primary-legacy"

And have your aws env set to the refresher token:

export AWS_PROFILE=primary

@jsimoni
Copy link

jsimoni commented May 10, 2023

For those that are finding when you get a reference to $HOME/.aws/sso/cache/<id>.json not found, you must perform an AWS SSO login first.

aws sso login

I recommend to create multiple pairs of your profiles, one with the legacy non-refreshing token specifically for terraform, and use another for your normal operations. This will allow you to use the AWS CLI with the refreshing tokens and have the terraform backend explicitly select the legacy profile.

~/.aws/config

[profile primary]
region = <REGION>
output = json
sso_session = <SESSION_NAME>
sso_account_id = <ACCOUNT_ID>
sso_role_name = <ROLE_NAME>

# Required as terraform does not respect sso_session
[profile primary-legacy]
sso_start_url = https://<START_ID>.awsapps.com/start
sso_region = <REGION>
sso_account_id = <ACCOUNT_ID>
sso_role_name = <ROLE_NAME>
region = <REGION>
output = json

[sso-session <SESSION_NAME>]
sso_start_url = https://<START_ID>.awsapps.com/start
sso_region = <REGION>
sso_registration_scopes = sso:account:access

In your backend, configure your profile to be the legacy above.

profile = "primary-legacy"

And have your aws env set to the refresher token:

export AWS_PROFILE=primary

I believe what @brettryan mentions will work as a workaround, but what is needed is the terraform-provider-aws to support refreshable authentication tokens and to refresh those tokens when they expire.

@et304383
Copy link

et304383 commented Jun 2, 2023

How is this not resolved yet? Isn't the GO SDK supposed to handle this automatically?

@gdavison gdavison self-assigned this Jun 23, 2023
@ewbankkit
Copy link
Contributor

AWS SDK for Go v1 PR: aws/aws-sdk-go#4885.

@jim-barber-he
Copy link

The support for sso-session for aws-sdk-go has been merged and is now in a release.
https://github.com/aws/aws-sdk-go/releases/tag/v1.44.298

@flokli
Copy link

flokli commented Jul 10, 2023

For posterity, this probably got fixed by the bump in #32426.

@kurtismash pls correct me if I'm wrong ;-)

Any chance for this to end up in a release soon?

@mbokman-e2open
Copy link

I was hoping this ended up in release 5.8.0 but upgrading to that version of the aws provider still gives:

$ terraform --version
Terraform v1.5.3
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.8.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/random v3.5.1
$ terraform init -reconfigure

Initializing the backend...
Initializing modules...
╷
│ Error: error configuring S3 Backend: Error creating AWS session: profile "<redacted>" is configured to use SSO but is missing required configuration: sso_region, sso_start_url
│ 
│ 
╵

@paul-yolabs
Copy link

This still needs to make it into a terraform release. The S3 backend code doesn't use the AWS provider, it has a parallel S3 code path. The provider works, but if you use an S3 state backend you'll still have problems until they update the SDK there.

Having new SSO support in the v1 SDK will make that easier, though.

Keep an eye on hashicorp/terraform#32465 (there appears to be an open PR for this now)

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
authentication Pertains to authentication; to the provider itself of otherwise. bug Addresses a defect in current functionality. provider Pertains to the provider itself, rather than any interaction with AWS. service/s3 Issues and PRs that pertain to the s3 service.
Projects
None yet
Development

No branches or pull requests