Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to launch stack using AWS CLI v2 and SSO #904

Closed
tblakers opened this issue May 19, 2020 · 2 comments
Closed

Unable to launch stack using AWS CLI v2 and SSO #904

tblakers opened this issue May 19, 2020 · 2 comments
Labels
state: wont fix type: question

Comments

@tblakers
Copy link

tblakers commented May 19, 2020
edited
Loading

Apologies if I'm missing something obvious here.

I use aws configure sso to obtain temporary credentials that allow me to assume a role in an account. The output of that is a temporary profile which I can use with the AWS CLI.

e.g. aws --profile AWSAdministratorAccess-123123123123 s3 ls

When I put this into the profile property in the config.yaml, I get this error:

[2020-05-19 14:38:39] - No cloudformation client found, creating one...
[2020-05-19 14:38:39] - Getting Boto3 session
[2020-05-19 14:38:39] - No Boto3 session found, creating one...
[2020-05-19 14:38:39] - Using cli credentials...
"Session credentials were not found. Profile: AWSAdministratorAccess-123123123123. Region: ap-southeast-2."

Adding the arn of the role I assumed via SSO to the role_arn property doesn't seem to help. I have ensured AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN are unset.

Looking at the source code:

                self.logger.debug("No Boto3 session found, creating one...")
                self.logger.debug("Using cli credentials...")

                # Credentials from env take priority over profile
                config = {
                    "profile_name": profile,
                    "region_name": region,
                    "aws_access_key_id": environ.get("AWS_ACCESS_KEY_ID"),
                    "aws_secret_access_key": environ.get("AWS_SECRET_ACCESS_KEY"),
                    "aws_session_token": environ.get("AWS_SESSION_TOKEN")
                }

                session = boto3.session.Session(**config)
                self._boto_sessions[key] = session

                if session.get_credentials() is None:
                    raise InvalidAWSCredentialsError(
                        "Session credentials were not found. Profile: {0}. Region: {1}.".format(
                            config["profile_name"], config["region_name"]
                        )
                    )

Seems that Boto3 isn't returning anything, and I notice the version sceptre uses is 1.X. Am I correct in understanding that this won't be supported by Sceptre until Boto add support? e.g. boto/boto3#2091 ?
@zaro0508
Copy link
Contributor

zaro0508 commented Jun 6, 2020

I believe you are correct @tblakers, sceptre uses boto3 and boto3 does not support SSO profiles. There does seem to be a workaround that should work with sceptre in the issue you referenced

@ngfgrant
Copy link
Contributor

ngfgrant commented Oct 3, 2020

Hey @tblakers thanks for raising the issue. Yeh we won't support this until Boto support it. Closing for now as there is little we can do!

@ngfgrant ngfgrant closed this as completed Oct 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
state: wont fix type: question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zaro0508 @tblakers @ngfgrant