AWS CLIv2 and AWS SSO auth fails #1129
Comments
|
S3 bucket config from # Configure Terragrunt+Terraform to automatically store tfstate files in an S3 bucket
remote_state {
backend = "s3"
generate = {
path = "backend.tf"
if_exists = "overwrite_terragrunt"
}
config = {
bucket = "tf-states.${local.environment}.${local.aws_root_domain}"
key = "${path_relative_to_include()}/terraform.tfstate"
region = "eu-central-1"
encrypt = true
dynamodb_table = "tf-states-lock.${local.environment}.${local.aws_root_domain}"
s3_bucket_tags = local.default_tags
dynamodb_table_tags = local.default_tags
# save costs - since we can not add lifecycle rules to clean up old versions
skip_bucket_versioning = true
}
} |
|
I believe the new SSO functionality only works with the newest version of the AWS SDK, so all CLI tools that use the SDK (such as Terragrunt) would need to be updated first. Would you be up for a PR to bump the AWS SDK version? You could test locally to see if that fixes the issue for you. |
|
PR = PullRequest -- my GOlang is very basic. I doubt that I can handle it. Found this changelog: v1.25.30 added support for SSO, maybe related. |
|
I checked the following, but no success. 11:05 $ git diff
diff --git a/go.mod b/go.mod
index c958777..4f9ec28 100644
--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,7 @@ go 1.13
require (
cloud.google.com/go/storage v1.6.0
- github.com/aws/aws-sdk-go v1.29.34
+ github.com/aws/aws-sdk-go v1.30.7
github.com/creack/pty v1.1.9
github.com/fatih/color v1.9.0
github.com/fatih/structs v1.1.0
diff --git a/go.sum b/go.sum
index 1042b8b..7426f99 100644
--- a/go.sum
+++ b/go.sum
@@ -99,6 +99,8 @@ github.com/aws/aws-sdk-go v1.25.3/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN
github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
github.com/aws/aws-sdk-go v1.29.34 h1:yrzwfDaZFe9oT4AmQeNNunSQA7c0m2chz0B43+bJ1ok=
github.com/aws/aws-sdk-go v1.29.34/go.mod h1:1KvfttTE3SPKMpo8g2c6jL3ZKfXtFvKscTgahTma5Xg=
+github.com/aws/aws-sdk-go v1.30.7 h1:IaXfqtioP6p9SFAnNfsqdNczbR5UNbYqvcZUSsCAdTY=
+github.com/aws/aws-sdk-go v1.30.7/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -330,6 +332,8 @@ github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANyt
github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
+github.com/jmespath/go-jmespath v0.3.0 h1:OS12ieG61fsCg5+qLJ+SsW9NicxNkg3b25OyT2yCeUc=
+github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik=
github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8=
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
github.com/joyent/triton-go v0.0.0-20180313100802-d8f9c0314926/go.mod h1:U+RSyWxWd04xTqnuOQxnai7XGS2PrPY2cfGoDKtMHjA=Build new version with [terragrunt] [/Users/REDACTED/git/cloud-config/terraform/lab/aws/bootstrap] 2020/04/09 11:04:37 Initializing remote state for the s3 backend
[terragrunt] 2020/04/09 11:04:37 Error finding AWS credentials (did you set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables?): NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
[terragrunt] 2020/04/09 11:04:37 Unable to determine underlying exit code, so Terragrunt will exit with error code 1 |
|
AWS SSO is going to be a mess across the community because it does not make credentials available in a way that works with the current credential chain. Each SDK will need to implement support for the new credential chain, and perhaps each tool also (depending on how they setup their chain). For GO, see: aws/aws-sdk-go#3186 |
|
I also started getting these errors last night around 7pm. |
|
Ah, good catch @lorengordon... If this isn't implemented in the AWS Go SDK, then we won't be able to do anything until it is. |
|
Fwiw, here is a workaround using |
|
In case like this one or other similar cases where AWS SSO result in incompatibilities with your library and you don't want to play with workarounds or complicated fixes, maybe you can give a try to our open-source project: https://github.com/Noovolari/leapp. It deals with AWS SSO authentication and accounts/roles retrieval then it creates short-lived temporary credentials in .aws/credentials to maximize compatibility with third party tools / sdks. |
|
this should be fixed in the AWS Go SDK in version 1.37: https://github.com/aws/aws-sdk-go/releases/tag/v1.37.0 can we somehow get this into terragrunt? i am not that familiar with go, but for my understanding it should be only updating the version here: Line 7 in a7c0d43 can someone confirm? if so, i would be able to provide a PR |
|
I've checked out master and bumped aws-sdk-go to v1.37.6 and rebuilt. I've got the following in I have When I run my home-made terragrunt, I get: With both Terraform and the AWS Provider now supporting SSO credentials, it would be great if Terragrunt followed suit. |
|
Agreed! Is anyone interested in submitting a PR for this? |
|
I can confirm that building terragrunt locally after updating |
|
@z0mbix : when you have already done it, can you provide a PR for this? |
Yup, will do. |
|
I've created: #1537 |
|
Weird that didn't work for me, but I'm glad it works in general. Thanks @z0mbix! |
|
@kleidcmp Make sure you see my comments on the PR about |
Are you using the latest terraform aws provider version that is also required to support SSO: |
|
Ok so I finally made it work by compiling both terraform and terragrunt linked against My use case involves several AWS accounts spread in a tree looking like that: With remote_state {
backend = "s3"
config = {
profile = "<account>" # IMPORTANT
bucket = "<account>-terragrunt"
key = "${path_relative_to_include()}/terraform.tfstate"
region = "eu-west-3"
encrypt = true
dynamodb_table = "<account>-terragrunt"
}
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.27"
}
}
}
provider "aws" {
region = "<region>"
profile = "<account>"
skip_credentials_validation = true
}
terraform {
backend "s3" {
profile = "<account>"
}
}
[default]
region = eu-west-1
output = json
csm_enabled = true
[profile dev]
sso_start_url = https://d-xxxxxxxxx.awsapps.com/start
sso_region = eu-west-1
sso_account_id = yyyyyyyyyyyyy
sso_role_name = RoleName
[profile prod]
sso_start_url = https://d-xxxxxxxxx.awsapps.com/start
sso_region = eu-west-1
sso_account_id = yyyyyyyyyyyyy
sso_role_name = RoleName
With this I can run #!/usr/bin/env bash
for account_dir in aws/*/; do
aws sso login --profile="$(basename $account_dir)"
done |
|
Thanks for starting this work @z0mbix Note Terraform already supports SSO creds started with version 0.14.6 (for the backend) and in version 3.26.0 for the Provider I had to pin Terraform 0.14.5 + Provider 3.25.0 until Terragrunt also supports SSO. The reason is I am not using AWS Key/Secret Key, but I leverage the aws-sso-credential-process to bridge the gap. Basically my profiles in the [profile my-profile]
credential_process = aws-sso-credential-process --profile my-profile
sso_start_url = https://myorg.awsapps.com/start
sso_region = us-west-2
sso_account_id = 1234567890
sso_role_name = MyRole
region = us-west-2
output = jsonTerraform 0.14.6+ blows up because both the |
|
@oscarmorasu How did you manage to work with terragrunt with these specific versions? I fixed the versions as you said, added the profile.. Added the profile in the provider section and in terragrunt.hcl for the remote_state backend configuration. When I run terragrung plan for example I get terragrunt plan --terragrunt-source ../../../../terraform//transit-gateway/ Am I missing something? |
|
@UrosCvijan, did you install aws-sso-credential-process? |
|
Wow, in the meantime I think I managed...Or I made who knows what with lot of credentials etc.. I will have to do it all over again with everything :) Now it looks it might passed, but will have to double check. Didn't see that it is deprecated. I will try the new one. |
|
Ok, so just if anyone else will be using the workaround. I installed aws-sso-credential-process, created all the profiles using aws-configure-sso-profile for my accounts, added also sso_interactive_auth=true, not sure if it is necessary, included profile in my provider section, as well as in remote_state section for the backend creation. There is something strange happening when I run it the first time, it complains about the permissions and says that it cant create the S3 bucket, but it creates it (just ignores all the options), it is created without versioning and without encryption, but it is there, that one and the dynamo table. Then plan/apply works as normal. With this I can easily switch between accounts without having to login to new profile or to fetch the environment variables (AWS access/secret key and token). |
|
We just updated the AWS Go SDK version in Terragrunt, which, in theory, should allow AWS SSO / AWS CLI v2 to work with the new release: https://github.com/gruntwork-io/terragrunt/releases/tag/v0.28.9 (binaries should show up shortly). Please give it a shot! |
ghost
mentioned this issue
We are using new aws cli v2 SSO auth feature. This works with aws cli, but terragrunt fails to get credentials.
.aws/configCheck aws cli works
The text was updated successfully, but these errors were encountered: