:wave: Hi everybody,
I’m struggling with SSO authe...
# awsa
astonishing-exabyte-93491
03/13/2023, 5:10 PM👋 Hi everybody,
I’m struggling with SSO authentication when using SSO token provider config. Legacy non-refreshable configuration works fine, but I’m curious to know if there’s a way to configure token provider properly as a default preferred auth. Any docs or ideas on that?
b
billowy-army-68599
03/13/2023, 5:12 PM
can you elaborate?
a
astonishing-exabyte-93491
03/13/2023, 5:16 PMAbsolutely.
I’m using the Typescript sdk.
The pulumi runtime fails to identify the
aws profile Copy code
pulumi preview --diff
Previewing update (dev)
View Live: <https://app.pulumi.com/jorgeAtSama/starter-kit/dev/previews/57d1b163-9c01-4d69-bcd4-154e27f72c34>
+ pulumi:pulumi:Stack: (create)
[urn=urn:pulumi:dev::starter-kit::pulumi:pulumi:Stack::starter-kit-dev]
+ pulumi:providers:aws: (create)
[urn=urn:pulumi:dev::starter-kit::pulumi:providers:aws::us-east-1]
region : "us-east-1"
skipCredentialsValidation: "false"
skipGetEc2Platforms : "true"
skipMetadataApiCheck : "true"
skipRegionValidation : "true"
version : "5.9.2"
+ pulumi:providers:aws: (create)
[urn=urn:pulumi:dev::starter-kit::pulumi:providers:aws::us-east-2]
region : "us-east-2"
skipCredentialsValidation: "false"
skipGetEc2Platforms : "true"
skipMetadataApiCheck : "true"
skipRegionValidation : "true"
version : "5.9.2"
+ awsx:ec2:Vpc: (create)
[urn=urn:pulumi:dev::starter-kit::awsx:ec2:Vpc::default]
Error: invocation of aws:index/getAvailabilityZones:getAvailabilityZones returned an error: unable to validate AWS credentials.
Details: no valid credential sources for found.
Please see
for more information about providing credentials.
Error: failed to refresh cached credentials, the SSO session has expired or is invalid: access token is expired
Make sure you have:
• Set your AWS region, e.g. `pulumi config set aws:region us-west-2`
• Configured your AWS credentials as per <https://pulumi.io/install/aws.html>
You can also set these via cli using `aws configure`.
: Error: invocation of aws:index/getAvailabilityZones:getAvailabilityZones returned an error: unable to validate AWS credentials.
Details: no valid credential sources for found.
Please see
for more information about providing credentials.
Error: failed to refresh cached credentials, the SSO session has expired or is invalid: access token is expired
Make sure you have:
• Set your AWS region, e.g. `pulumi config set aws:region us-west-2`
• Configured your AWS credentials as per <https://pulumi.io/install/aws.html>
You can also set these via cli using `aws configure`.
at Object.callback (/snapshot/awsx/node_modules/@pulumi/pulumi/runtime/invoke.js:148:33)
at Object.onReceiveStatus (/snapshot/awsx/node_modules/@grpc/grpc-js/src/client.ts:338:26)
at Object.onReceiveStatus (/snapshot/awsx/node_modules/@grpc/grpc-js/src/client-interceptors.ts:426:34)
at Object.onReceiveStatus (/snapshot/awsx/node_modules/@grpc/grpc-js/src/client-interceptors.ts:389:48)
at /snapshot/awsx/node_modules/@grpc/grpc-js/src/call-stream.ts:276:24
at processTicksAndRejections (node:internal/process/task_queues:78:11)
error: Error: invocation of aws:index/getAvailabilityZones:getAvailabilityZones returned an error: unable to validate AWS credentials.
Details: no valid credential sources for found.
Please see
for more information about providing credentials.
Error: failed to refresh cached credentials, the SSO session has expired or is invalid: access token is expired
Make sure you have:
• Set your AWS region, e.g. `pulumi config set aws:region us-west-2`
• Configured your AWS credentials as per <https://pulumi.io/install/aws.html>
You can also set these via cli using `aws configure`.
at Object.callback (/snapshot/awsx/node_modules/@pulumi/pulumi/runtime/invoke.js:148:33)
at Object.onReceiveStatus (/snapshot/awsx/node_modules/@grpc/grpc-js/src/client.ts:338:26)
at Object.onReceiveStatus (/snapshot/awsx/node_modules/@grpc/grpc-js/src/client-interceptors.ts:426:34)
at Object.onReceiveStatus (/snapshot/awsx/node_modules/@grpc/grpc-js/src/client-interceptors.ts:389:48)
at /snapshot/awsx/node_modules/@grpc/grpc-js/src/call-stream.ts:276:24
at processTicksAndRejections (node:internal/process/task_queues:78:11)
error: Error: failed to register new resource default [awsx:ec2:Vpc]: 2 UNKNOWN: invocation of aws:index/getAvailabilityZones:getAvailabilityZones returned an error: unable to validate AWS credentials.
Details: no valid credential sources for found.
Please see
for more information about providing credentials.
Error: failed to refresh cached credentials, the SSO session has expired or is invalid: access token is expired
Make sure you have:
• Set your AWS region, e.g. `pulumi config set aws:region us-west-2`
• Configured your AWS credentials as per <https://pulumi.io/install/aws.html>
You can also set these via cli using `aws configure`.
at Object.registerResource (/Users/jletelier/dev/test-kubernetes-upgrades/pulumi/starter-kit/node_modules/@pulumi/runtime/resource.ts:339:27)
at new Resource (/Users/jletelier/dev/test-kubernetes-upgrades/pulumi/starter-kit/node_modules/@pulumi/resource.ts:398:13)
at new ComponentResource (/Users/jletelier/dev/test-kubernetes-upgrades/pulumi/starter-kit/node_modules/@pulumi/resource.ts:891:9)
at new Vpc (/Users/jletelier/dev/test-kubernetes-upgrades/pulumi/starter-kit/node_modules/@pulumi/ec2/vpc.ts:124:9)
at Object.<anonymous> (/Users/jletelier/dev/test-kubernetes-upgrades/pulumi/starter-kit/index.ts:9:54)
at Module._compile (node:internal/modules/cjs/loader:1254:14)
at Module.m._compile (/Users/jletelier/dev/test-kubernetes-upgrades/pulumi/starter-kit/node_modules/ts-node/src/index.ts:439:23)
at Module._extensions..js (node:internal/modules/cjs/loader:1308:10)
at Object.require.extensions.<computed> [as .ts] (/Users/jletelier/dev/test-kubernetes-upgrades/pulumi/starter-kit/node_modules/ts-node/src/index.ts:442:12)
at Module.load (node:internal/modules/cjs/loader:1117:32)d
dry-journalist-60579
03/13/2023, 5:16 PMSo I’m not sure if this is what you’re talking about, but instead of using
aws configure sso Copy code
brew install aws-sso-util awsume
# populate ~/.aws/config with all profiles you have access to
export AWS_DEFAULT_SSO_START_URL=<https://YOURORG.awsapps.com/start>
export AWS_DEFAULT_SSO_REGION=us-east-1
aws-sso-util configure populate --region=us-east-1
# set up awsume alias and autocomplete for your shell
awsume-configure --shell {bash,zsh}
# source your shell rc file, or restart your shell
aws-sso-util login
awsume <TAB> # should show a list of all your profilesdry-journalist-60579
03/13/2023, 5:17 PMand with this set up it just works for me
dry-journalist-60579
03/13/2023, 5:18 PMThis was an earlier thread of mine before I found these tools (https://pulumi-community.slack.com/archives/CRH5ENVDX/p1676351686053799?thread_ts=1676304204.609349&cid=CRH5ENVDX)
a
astonishing-exabyte-93491
03/13/2023, 5:18 PMI was indeed refererring to SSO configuration. Thanks @dry-journalist-60579. Are you using the token provider config as well?
b
billowy-army-68599
03/13/2023, 5:18 PM
the providers don’t support the sso-session var yet, you need to grab temporary credentials
a
astonishing-exabyte-93491
03/13/2023, 5:18 PMI see.
astonishing-exabyte-93491
03/13/2023, 5:19 PMthe providers don’t support the sso-session var yet, you need to grab temporary credentialsNone of them?
b
billowy-army-68599
03/13/2023, 5:20 PM
the aws provider doesn’t
billowy-army-68599
03/13/2023, 5:20 PM
how is your SSO profile configured?
billowy-army-68599
03/13/2023, 5:20 PM
Copy code
[profile pulumi-dev-sandbox]
output = json
region = us-west-2
sso_account_id = <id>
sso_region = us-west-2
sso_role_name = AdministratorAccess
sso_start_url = https://<url>billowy-army-68599
03/13/2023, 5:21 PM
if you use
sso-sessiona
astonishing-exabyte-93491
03/13/2023, 5:21 PMok, no problem, I’ll just keep using the legacy non-refreshable sso method then. Thanks so much @billowy-army-68599 and @dry-journalist-60579.
b
billowy-army-68599
03/13/2023, 5:22 PM
issue tracking https://github.com/pulumi/pulumi-aws/issues/2272
2 Views