Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Terraform S3 backend with AWS SSO profile fails again #32684

Closed
omerfsen opened this issue Feb 14, 2023 · 5 comments
Closed

Terraform S3 backend with AWS SSO profile fails again #32684

omerfsen opened this issue Feb 14, 2023 · 5 comments
Labels
backend/s3 bug duplicate issue closed because another issue already tracks this problem

Comments

@omerfsen
Copy link 

          I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

Originally posted by @github-actions[bot] in #28872 (comment)
@omerfsen
Copy link
Author

omerfsen commented Feb 14, 2023
edited
Loading

I am using latest version of aws cli 2 ( aws --version
aws-cli/2.9.23 Python/3.11.2 Linux/5.4.0-139-generic source/x86_64.ubuntu.20 prompt/off) and terraform (1.3.8)

$ terraform version
Terraform v1.3.8
on linux_amd64


$ aws --version
aws-cli/2.9.23 Python/3.11.2 Linux/5.4.0-139-generic source/x86_64.ubuntu.20 prompt/off

When i do

aws configure sso
SSO session name (Recommended): xxxx
SSO start URL [None]: https://xxxxxx.awsapps.com/start
SSO region [None]: eu-west-1
SSO registration scopes [sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.eu-west-1.amazonaws.com/

Then enter the code:

LV....

The only AWS account available to you is: 34176412xxxx
Using the account ID 34176412xxxx
The only role available to you is: AdministratorAccess
Using the role name "AdministratorAccess"
CLI default client Region [None]: us-east-1
CLI default output format [None]: json

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile AdministratorAccess-34176412xxxx

it outputs an aws config file like:

[profile AdministratorAccess-34176412XXX]
sso_session = test
sso_account_id = 34176412XXXX
sso_role_name = AdministratorAccess
region = us-east-1
output = json
sso_start_url = https://xxxxx.awsapps.com/start
sso_region = eu-west-1

[sso-session xxx]
sso_start_url = https://xxxxx.awsapps.com/start
sso_region = eu-west-1
sso_registration_scopes = sso:account:access

aws cli2 works fine:

export AWS_PROFILE=AdministratorAccess-34176412XXXX
export AWS_DEFAULT_REGION=us-east-1
aws s3 ls
....
produces output
....

aws sts get-caller-identity (it also works)


aws sts get-caller-identity  --no-cli-pager
{
    "UserId": "AROAU7EV2UMVEXYYYYYY:user@domain.com",
    "Account": "34176412XXX",
    "Arn": "arn:aws:sts::34176412XXX:assumed-role/AWSReservedSSO_AdministratorAccess_b6d5d75deb6254bb/user@domain.com"
}

But terraform outputs:

terraform init -backend-config=backend_config/sbox.conf
Initializing modules...

Initializing the backend...
╷
│ Error: error configuring S3 Backend: Error creating AWS session: profile "AdministratorAccess-34176412xxx" is configured to use SSO but is missing required configuration: sso_region, sso_start_url
│ 
│ 
╵

Also did what was working before:

$ AWS_DEFAULT_PROFILE=AdministratorAccess-34176412xxxx terraform init -backend-config=backend_config/sbox.conf
Initializing modules...

Initializing the backend...
╷
│ Error: error configuring S3 Backend: Error creating AWS session: profile "AdministratorAccess-34176412xxxx" is configured to use SSO but is missing required configuration: sso_region, sso_start_url
│ 
│ 
╵

$ AWS_PROFILE=AdministratorAccess-34176412xxxx terraform init -backend-config=backend_config/sbox.conf
Initializing modules...

Initializing the backend...
╷
│ Error: error configuring S3 Backend: Error creating AWS session: profile "AdministratorAccess-34176412xxxx" is configured to use SSO but is missing required configuration: sso_region, sso_start_url
│ 
│

@omerfsen omerfsen changed the title I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues. Terraform S3 backend with AWS SSO profile fails again Feb 14, 2023
@pjaudiomv
Copy link

relates to #32465 the s3 backend doesnt support sso session :(

@omerfsen
Copy link
Author

relates to #32465 the s3 backend doesnt support sso session :(
But when I export variables like this it works.

image

@omerfsen
Copy link
Author

Duplicate of #28263 so will close this issue. Also workaround defined on hashicorp/terraform-provider-aws#28263 (comment)

@crw crw added bug backend/s3 duplicate issue closed because another issue already tracks this problem labels Feb 21, 2023
@github-actions
Copy link
Contributor

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
backend/s3 bug duplicate issue closed because another issue already tracks this problem
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@crw @omerfsen @pjaudiomv