-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v2] credentials supplied by aws sso login do not conform to AWS standards #4982
Comments
For my own purposes, I am working around this issue by extracting the data from the JSON object and dumping it into the
I hope this helps others until a fix is ready! |
Hi @dayer4b ,
this kind of call works for you, but when running through another sdk, it is not recognizing the credentials. Am I understanding correctly? |
@KaibaLopez that is the current best solutions I think we agree. Those STS creds are valid only for an hour so you have to generate those quite often. This is not a good solutions. SSO does not always create new cache json files so you actually need to clear cache folder beforehand to be sure that the newest file is created by AWS cli. |
I think I'm missing something here, but this is not really a problem on the CLI, unless it is not working for you for cli actions either it'd be a problem with how you're getting credentials on the other sdks. You're right that you shouldn't need to move them manually, but each sdk has it's own way of retrieving credentials when it comes to sso logins, make sure that you're doing it correctly, it might need extra configuration. Also, not sure if this was part of the problem but sso is meant to be temporary so not sure I can offer you a solution there. |
I think you are correct in away. I think that it would be nice that cli would provide supported way for SSO STS creds like you can get those from the portal. Now this "hook" is way too complex and error brone. Support could be very similar to STS lookup with MFA code. |
I think the problem OP is describing is really a feature request for the aws terraform provider. I found a feature request over on the provider repo related to supporting SSO credentials: hashicorp/terraform-provider-aws#10851 |
Doing this on a utility-by-utility or sdk-by-sdk basis will make for an absolutely horrid developer and user experience. The SDKs all support the AWS Shared Config file in some way. The SSO auth/cred process should also integrate through the AWS Shared Config so all SDKs and all utilities are able to leverage it the same way. |
@lorengordon |
@KaibaLopez Ok, gotcha. I use terraform a lot and have also helped review/expand the credential handling to better work with the features of the AWS Shared Config. It will indeed leverage the SDK credential chain properly. The only known real issue currently is that IF you are using the AWS_PROFILE env and that profile uses certain features from the AWS Shared Config file, then you must export AWS_SDK_LOAD_CONFIG=1. That's kind of a thing in the aws-sdk-go for enabling resolution for the AWS Shared Config. Far as I can tell, I don't think there is truly a terraform issue here. |
I would have to say I am experiencing the same "issue" as the OP. I am using boto3 and it is expecting the AWS CLI V1 shared credentials file in INI format. https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html As for a feature request I think it would be helpful to be able to choose if you also want the temporary credentials stored in a "legacy" format. I am currently seeing if I can make a wrapper script similar to the OP that exports the access key, secret key, and session token. |
I have created and shared a script to simplify updating |
I pulled the SSO credential support from botocore v2 and the CLI into a @flyinprogrammer has written a similar thing in go that's a little less full-featured, but has the advantage of being a single executable: aws-sso-fetcher |
Well, come here for some quick ready made solution. Ended up writing one, yawsso -- which I extend @sgtoj work, without depending on anything except CLI v2 itself, to sync up CLI v2 SSO login session to v1 credentials file.
|
Sorry I didn't reply to these messages sooner, but I think most of the commenters here are understanding that pain that I have described. My concern with the proposed solution is that it effectively breaks the document contract that the AWS CLI has established and fostered for years. This is particularly problematic with In the meantime, I have entirely given up any attempt at using @victorskl I look forward to trying out your tool! |
I've moved (back) to aws-vault https://github.com/99designs/aws-vault/blob/master/USAGE.md#aws-single-sign-on-aws-sso |
Note for |
For anyone looking for a node version of this type of script I've published this one to npm https://github.com/ryansonshine/aws-sso-creds-helper |
For folks still needing backward compatibility to ~/.aws/credentials file, I have created a script to automate the web flow of 'aws sso login', so you do not need to switch to the browser for SSO authentication, update the ~/.aws/credentials and inject env params AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN into current terminal. |
Please note that @arvindkgs's tool requires you to put your password in an environment variable or in your shell history, both of which are run against recommended practice. The process of using your browser to sign in is a security feature of AWS SSO login, not a bug. It also only appears to work with Okta, and I see no support for MFA. |
@benkehoe I built this for developers who don't want to shift focus from their cmd line. While this is a feature of SSO it is distracting for me. Yes, it is only for OKTA now. I added to environment because some tools require creds in the environment. I will add a switch to make this optional. I have explored other tools like https://github.com/Noovolari/leapp and https://github.com/linaro-its/aws2-wrap and found them lacking. |
Any traction on this? I would love to be able to give my developers an sso user to authenticate against AWS while using the sdk rather than have to have them manually go and download the credentials from the login screen each time. |
@dazhanghalo what's wrong with |
|
Hi all, I appreciate your continued conversation on this, and I'd like to clarify and update. It seems like the biggest pain point underlying this issue is that all AWS SDKs did not support using the credential provider that is configured via @dazhanghalo - what language are your developers using? Hopefully they are covered now by my above statement. To clarify a bit of @dayer4b's concerns about the contract or standard set by the AWS SDK credential configuration:
This is still true - if you supply credentials to There are authentication methods besides SSO that also do not store them in the credentials file, and should not because of their transient nature. Assume role credentials are not written to the credential file, nor are those that are pulled from IMDS, or a custom credential provider. Writing them to the credential file would not work as the file is currently read once when a session is created (for example in Python), so if the credentials were refreshed after expiring they would be broken. @olenm - I'm not sure I understand the issue here. There is no intention to use SHA1 as a security method, only as a way to ensure that the resulting name of the file is compatible with the storage (e.g., not having a filename that might be too long when combining things like you mentioned). One thing I hear from this is the need to still get out the current set of credentials that a profile would be using, regardless if they come from SSO, an assume role, or even are configured in the credential file itself. This open issue (#5261) proposes that specifically for SSO in response to the lack of support for SSO, but it seems to have further value to those who need the credentials in a predictable format for other uses Many of you have written tools to do this (@benkehoe, @flyinprogrammer, @ryansonshine, @victorskl, and probably others). For users who already have the AWS CLI installed to perform the SSO login, it would be a win to also use the same tool to interrogate what credentials are in use and export them if needed. This looks like feature that the AWS CLI team can support and review for implementing. |
Thanks @kdaily ! Re the sha1 as a file-name - I am glad to hear it is not an attempt at a security measure; however I think that file name length as a consideration in terms of it potentially reflecting the profile-name should be reconsidered as it is already reaching some 40 characters. Anybody with so many profiles that utilize that many combinations on a single system is in trouble in another way if you ask me. Though personally even with long account+role name combinations in my own profile list, I can easily see 60+ chars - but really the problem comes if people are using paragraphs to identify profiles, if that is the case, I do feel sorry for when they have to use The fact that people need to utilize other apps/wrappers/scripts to simply correlate a profile to a credential set is a problem (myself included). Getting a printout of credentials from the CLI would be very helpful to a degree, but programs like Terraform which already utilize reading the ini file format and utilize profiles could easily benefit from a profile-named-ini - especially since the cache folder path does not change. Even still, I think there are some oddities in the behavior of the creation of the json - as in, it gets created not on login, but after the first call afterward (I personally call |
I have made modifications to my script that no longer needs credentials as environment variables and have been using it for 4 months now without issues.
|
FWIW, I created a small Python 3 wrapper (no external libraries required) around |
@robvanderleek thanks so much! It is contributions like this that make me think that this feature is still broken. That there are commonly required and readily available solutions to fix the implementation suggests that the implementation is faulty, or perhaps doesn't go far enough in bridging towards backwards compatibility. |
Please, please fix this. Makes transitioning to |
Thanks again for the input. I'm going to close this issue, as we've outlined above the reasons why temporary credentials (including those from SSO) will not (and should not) be saved in the credentials file. Nearly all AWS SDKs now automatically support this configuration, so other tools to get this functionality should no longer be required. Downstream tools (like Terraform) also support |
|
Breaks my process. Thanks a lot. |
To echo @kdaily's comment, I've written an article on how the "AWS standard" for credentials is more comprehensive than just When using the configuration functionality of |
AWS documents that credentials generated by
aws configure
are stored in the standard path~/.aws/credentials
:https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
This path is not utilized by credentials stored by
aws configure sso
oraws sso login
.Other tools (like Terraform and Boto3) that rely on this standard do not function because they do not see the credentials stored in the
~/.aws/cli/cache/
JSON files.https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html
The text was updated successfully, but these errors were encountered: