Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

support sso-session #2272

Closed
jaxxstorm opened this issue Dec 16, 2022 · 9 comments
Closed

support sso-session #2272

jaxxstorm opened this issue Dec 16, 2022 · 9 comments
Assignees
Labels
kind/enhancement Improvements or new features resolution/fixed This issue was fixed

Comments

@jaxxstorm
Copy link
Contributor

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

AWS SSO now supports configuring an sso-session which can be used to derive profiles without repeating values. As an example:

[sso-session pulumi]
sso_region = us-west-2
sso_role_name = AdministratorAccess
sso_start_url = https://<URL>.awsapps.com/start

[profile pulumi-ce]
output = json
region = us-west-2
sso_session = pulumi
sso_account_id = <account-id>

However, the Pulumi CLI doesn't appear to honour these values

Diagnostics:
  aws:iam:OpenIdConnectProvider (github):
    error: unable to validate AWS credentials.
    Details: loading configuration: profile "pulumi-ce" is configured to use SSO but is missing required configuration: sso_region, sso_role_name, sso_start_url

    Make sure you have:

     	 • Set your AWS region, e.g. `pulumi config set aws:region us-west-2`
     	 • Configured your AWS credentials as per https://pulumi.io/install/aws.html
     	 You can also set these via cli using `aws configure`.
@jaxxstorm jaxxstorm added kind/enhancement Improvements or new features needs-triage Needs attention from the triage team labels Dec 16, 2022
@danielrbradley danielrbradley removed the needs-triage Needs attention from the triage team label Dec 19, 2022
@lukehoban lukehoban added the awaiting-upstream The issue cannot be resolved without action in another repository (may be owned by Pulumi). label Dec 28, 2022
@lukehoban
Copy link
Contributor

This is tracked in hashicorp/terraform-provider-aws#28263 in the upstream provider.

@jaxxstorm
Copy link
Contributor Author

The easiest way to work around this is to grab temporary credentials from the SSO session. https://github.com/jaxxstorm/aws-sso-creds allows you to do this easily

@Fydon
Copy link

Fydon commented Apr 27, 2023

As a workaround I'm able to use aws configure sso --profile pulumi-accounta to set it up and aws sso login --profile pulumi-accounta thereafter, using profiles like below.

If you are using Pulumi to manage multiple accounts at once, create a profile for each account, specifying its account ID and then specify that account's profile in the provider. You will need to use aws sso login --profile for each profile, but that can be done via a script.

[pulumi-accounta]
output = json
region = your_default_region
sso_account_id = account_id_for_accounta
sso_region = your_default_region
sso_role_name = your_pulumi_role_name
sso_start_url = your_sso_start_url

@gunzy83
Copy link

gunzy83 commented Apr 27, 2023

We are already doing what @Fydon suggested but I am keen to use the new feature for SSO once Pulumi and some other tools support it.

@excavador
Copy link

I faced this issue

@Fydon
Copy link

Fydon commented Sep 18, 2023

The Terraform Provider AWS issue mentioned above has been resolved so I assume that it should be possible to resolve in Pulumi now as well. This has potentially been resolved in AWS Native provider already.

@Fydon
Copy link

Fydon commented Oct 18, 2023

I think that this is now working with the configuration below. If you have multiple AWS accounts, you still need a profile for each account. However you only need to login once to the sso-session when everything is configured: aws sso login --sso-session pulumi

[sso-session pulumi]
sso_start_url = https://<url>.awsapps.com/start
sso_region = <region>
sso_registration_scopes = sso:account:access

[profile pulumi-ce]
output = json
region = <region>
sso_account_id = <account-id>
sso_session = pulumi
sso_role_name = <role>
sso_region = <region>

@spock-abadai
Copy link

I can confirm that this seems to be working now.

@mikhailshilkov mikhailshilkov added resolution/fixed This issue was fixed and removed awaiting-upstream The issue cannot be resolved without action in another repository (may be owned by Pulumi). labels Nov 6, 2023
@mikhailshilkov mikhailshilkov self-assigned this Nov 6, 2023
@mikhailshilkov
Copy link
Member

Indeed, this should have shipped in 6.0 of the provider, so it's great to hear folks are finding success with it. Marking as resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement Improvements or new features resolution/fixed This issue was fixed
Projects
None yet
Development

No branches or pull requests

8 participants