Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support AWS Single-Sign On (SSO) cached credentials when using AWS profiles #162

Closed
michelzanini opened this issue Apr 6, 2021 · 7 comments
Closed

Support AWS Single-Sign On (SSO) cached credentials when using AWS profiles #162

michelzanini opened this issue Apr 6, 2021 · 7 comments

Comments

@michelzanini
Copy link

When using aws_provider_profile it is not possible at the moment to have this profiles using AWS SSO with ~/.aws/config file. This is fairly new on AWS CLI v2.

Support for this has been added to Terraform 0.14.6+ (for s3 remote state) and on AWS provider (3.26+).
To support it, the only change is to bump AWS GO SDK to 1.37 or above.

Here is the PR that was done on AWS provider:
https://github.com/hashicorp/terraform-provider-aws/pull/17340/files

I believe if this same bump happens here it will work.
More info can be seen here hashicorp/terraform-provider-aws#10851 (comment).

Thanks.
@phillbaker
Copy link
Owner

Happy to bump the aws client, however, an earlier bump was possibly responsible for the regression in #124.

I'll bump the client and release a new version.

@michelzanini
Copy link
Author

I am thinking in trying different commits from 1.5.0 to 1.5.1 to see the exact commit that could have broken things for #124.
To do that, I guess I only need to checkout the commit and go build ? I can then move that binary to my project and run a test...

@phillbaker
Copy link
Owner

I guess I only need to checkout the commit and go build ? I can then move that binary to my project and run a test

That'd be great. That approach should work. Please let me know what you find!

@michelzanini
Copy link
Author

Problem commit was #119, looking deeper on it now...

@phillbaker
Copy link
Owner

phillbaker commented Apr 8, 2021
edited
Loading

Thanks @michelzanini, let's continue the conversation on #124 to keep this issue focused on the AWS client. I've gone ahead and bumped the client version and released https://github.com/phillbaker/terraform-provider-elasticsearch/releases/tag/v1.5.5, I'm going to close this issue as presumably fixed.

@jiahuijiang
Copy link

@phillbaker is there any configuration I need to set to use SSO?
I'm using 2.0.1, but it seems like the provider is not picking up SSO with ~/.aws/config file. When there is a ~/.aws/credentials file everything works properly.

This is the error message I got while the same SSO setup works with other providers

2022-06-08T20:06:08.466Z [INFO]  provider.terraform-provider-elasticsearch_v2.0.1: 2022/06/08 20:06:08 NoCredentialProviders: no valid providers in chain
caused by: EnvAccessKeyNotFound: failed to find credentials in the environment.
SharedCredsLoad: failed to load profile, .
EC2RoleRequestError: no EC2 instance role found
caused by: EC2MetadataError: failed to make EC2Metadata request

@phillbaker
Copy link
Owner

the same SSO setup works with other providers

Can you be more specific? What other providers work with this?

According to the upstream docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/session/#hdr-Shared_Config_Fields), the AWS_SDK_LOAD_CONFIG environmental variable needs to be set to use ~/.aws/config.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@phillbaker @michelzanini @jiahuijiang