Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
c
clever-painter-96148
11/03/2021, 1:06 PMIs there a way to use AWS SSO credentials with Pulumi?
I authenticate with
aws sso login --profilem
millions-furniture-75402
11/03/2021, 1:37 PMHere's a
credential_process#!/usr/bin/env bash
# Generate a profile with temporary credentials for the role
# Add to your AWS profile:
# credential_process = /usr/local/bin/aws_sso.sh my-profile arn:aws:iam::1234567890:role/CoolRole-us-east-1 write
# In application use the profile name: <profile_name>-temp
function aws_sso () {
local AWS_PROFILE=$1
local AWS_PROFILE_SSO="${AWS_PROFILE}-sso"
local ROLE_ARN=$2
local SSO_ROLE_NAME=$(aws configure get profile.${AWS_PROFILE_SSO}.sso_role_name)
local SSO_ROLE_SESSION_NAME=$(aws configure get profile.${AWS_PROFILE_SSO}.role_session_name)
if [[ -n ${SSO_ROLE_NAME} ]]; then
local AWS_ROLE_USER_ID=$(aws --profile ${AWS_PROFILE_SSO} sts get-caller-identity |jq -r '.UserId' || exit 0)
if [[ -z ${AWS_ROLE_USER_ID} ]]; then
$(aws sso login --profile=${AWS_PROFILE}-sso &>/dev/null)
fi
local AWS_CREDENTIALS=$(aws --profile ${AWS_PROFILE_SSO} sts assume-role --role-arn ${ROLE_ARN} --role-session-name ${SSO_ROLE_SESSION_NAME})
local AWS_ACCESS_KEY_ID=$(echo ${AWS_CREDENTIALS} | jq -r '.Credentials.AccessKeyId')
local AWS_SECRET_ACCESS_KEY=$(echo ${AWS_CREDENTIALS} | jq -r '.Credentials.SecretAccessKey')
local AWS_SESSION_TOKEN=$(echo ${AWS_CREDENTIALS} | jq -r '.Credentials.SessionToken')
local AWS_EXPIRATION=$(echo ${AWS_CREDENTIALS} | jq -r '.Credentials.Expiration')
local RESPONSE_TEMPLATE='{"Version": 1,
"AccessKeyId": "%s",
"SecretAccessKey": "%s",
"SessionToken": "%s",
"Expiration": "%s"
}'
if [[ ${3} == "write" ]]; then
aws configure set profile.${AWS_PROFILE}-temp.aws_access_key_id ${AWS_ACCESS_KEY_ID}
aws configure set profile.${AWS_PROFILE}-temp.aws_secret_access_key ${AWS_SECRET_ACCESS_KEY}
aws configure set profile.${AWS_PROFILE}-temp.aws_session_token ${AWS_SESSION_TOKEN}
fi
echo $(printf "${RESPONSE_TEMPLATE}" "${AWS_ACCESS_KEY_ID}" "${AWS_SECRET_ACCESS_KEY}" "${AWS_SESSION_TOKEN}" "${AWS_EXPIRATION}")
else
echo "Profile not found, or missing sso_role_name"
fi
}
aws_sso $1 $2 $3c
clever-painter-96148
11/03/2021, 2:10 PMThanks, I'll try it out!
According to https://github.com/pulumi/pulumi/issues/5072 it is supposed to work. That's weird!
b
billowy-army-68599
11/03/2021, 4:27 PM@clever-painter-96148 we use
aws sso login@millions-furniture-75402 I wrote a little Go binary to help with that process 🙂
https://github.com/jaxxstorm/aws-sso-creds
👍 1
c
clever-painter-96148
11/03/2021, 4:29 PM@billowy-army-68599 I described what I've done here: https://pulumi-community.slack.com/archives/CRH5ENVDX/p1635948880103000?thread_ts=1635946074.101600&cid=CRH5ENVDX
Did you achieve it without your tool?
I'll check it out, thanks!!
b
billowy-army-68599
11/03/2021, 4:30 PM@clever-painter-96148 double check your env vars to make sure you don't have any latent env vars hanging aroind?
env | grep -i AWSc
clever-painter-96148
11/03/2021, 4:31 PMnope, my env is clean
b
billowy-army-68599
11/03/2021, 4:33 PMhuh, strange. it should just work
c
clever-painter-96148
11/03/2021, 4:37 PMb
billowy-army-68599
11/03/2021, 4:39 PMI'm sure it won't make a difference, bt can you can try exporting the
AWS_PROFILEc
clever-painter-96148
11/03/2021, 4:43 PMHaha, I already tried. Same result.
When running pulumi with -v9, I see:
I1103 17:42:21.679702 151402 eventsink.go:59] Attempting to use session-derived credentials
I1103 17:42:21.679724 151402 eventsink.go:62] eventSink::Debug(<{%reset%}>Attempting to use session-derived credentials<{%reset%}>)
I1103 17:42:21.680392 151402 provider_plugin.go:511] Provider[aws, 0xc000f08960].Configure() failed: err=unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configurationIf I understand this correctly: https://github.com/pulumi/pulumi-aws/blob/master/provider/resources.go#L253
1. It creates a Config object based on the function arguments and fill it with values from the environment
2. It passes it to hashicorp/aws-sdk-go-base's GetCredentials which uses StaticProvider, EnvProvider and SharedCredentialsProvider (none of these seem to be able to use AWS SSO credentials)
According to https://aws.amazon.com/blogs/developer/aws-sso-support-in-the-aws-sdk-for-go/ we should use NewSessionWithOptions.
hashicorp/aws-sdk-go-base uses it in GetCredentialsFromSession.
But pulumi only uses GetCredentials.
Where is the current implementation supposed to get credentials from AWS SSO?
Disclaimer: My understanding could be very wrong as I don't know anything about golang... 😅
b
broad-gold-44713
11/03/2021, 5:13 PM@clever-painter-96148 I've never had success using the SSO profile directly. Either use
eval `aws-sso-creds export --profile <profile>`or
aws-sso-creds set --profile <sso-profile> <temp_profile>
AWS_PROFILE=<temp_profile>c
clever-painter-96148
11/03/2021, 5:15 PMGuess I'll use @billowy-army-68599's aws-sso-creds for now 🙂
f
faint-table-42725
11/03/2021, 5:22 PMI use profiles w/o export via
AWS_PROFILEI have this setup in
/.aws/config[profile pulumi-ci]
sso_start_url = <https://xxxxxxx.awsapps.com/start>
sso_region = us-west-2
sso_account_id = 12345678901
sso_role_name = FooRole
region = us-west-2my workflow is to run
aws sso loginAWS_PROFILE=my-profile pulumi upI also have
AWS_SDK_LOAD_CONFIG=true~/.aws/configc
clever-painter-96148
11/03/2021, 5:29 PMMy profile in ~/.aws/config:
[profile foo]
sso_start_url=<https://foo.awsapps.com/start>
sso_region=eu-west-1
sso_account_id=42
sso_role_name=AWSAdministratorAccessaws sso login --profile fooAWS_PROFILE=foo pulumi upAWS_SDK_LOAD_CONFIG=trueerror: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configurationIn the meantime, I tried aws-sso-creds, and it's already an improvement, thanks @billowy-army-68599 😄
b
billowy-army-68599
11/03/2021, 5:46 PMglad to help!
c
clever-painter-96148
11/03/2021, 5:49 PMAny idea how I could dig the native aws sso integration issue further?
I'd love to have this, so I could set aws:profile in Pulumi.stackName.yaml and ensure I will never again run
pulumi upr
rapid-raincoat-36492
11/03/2021, 5:56 PMI know the AWS go SDK just started supporting SSO in February: https://aws.amazon.com/blogs/developer/aws-sso-support-in-the-aws-sdk-for-go/, so the first thing I'd is to check the sdk versions used in whatever language provider you are using and make sure that the aws sdk supported sso in that version
c
clever-painter-96148
11/03/2021, 6:22 PMpulumi-aws 4.25.0 uses hashicorp/aws-sdk-go-base v1.0.0 (https://github.com/pulumi/pulumi-aws/blob/v4.25.0/provider/go.mod)
hashicorp/aws-sdk-go-base 1.0.0 uses aws-sdk-go v1.31.9 (https://github.com/hashicorp/aws-sdk-go-base/blob/main/go.mod#L4)
aws-sdk-go 1.13.9 has been released on 2020-06-02 (https://github.com/aws/aws-sdk-go/blob/v1.31.9/CHANGELOG.md)
It looks like that SSO support has been added in v1.25.30: https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md#release-v12530-2019-11-07
Then they fixed an issue that affected it in version 1.37.2 : https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md#release-v1372-2021-02-02
On the same day (2020-02-02), they announced support for sso in the go sdk: (https://aws.amazon.com/blogs/developer/aws-sso-support-in-the-aws-sdk-for-go/)
So it looks like the AWS SDK used in Pulumi should be able to work with AWS SSO.
b
bored-activity-40468
11/03/2021, 8:29 PMcredential_processf
faint-table-42725
11/03/2021, 8:32 PMI’d love to have this, so I could set aws:profile in Pulumi.stackName.yaml and ensure I will never again runIrrespective of getting this to work, one thing I’ve seen as a pattern is along the lines of:on the wrong stack on the wrong accountpulumi up
aws.getCallerIdentity().then(identity => {
if (identity.accountId != expectedAccountId)
throw new Error("uh-oh");
});Looking at what you’ve described so far, I’d expect that to work, so I’m not sure what I’m doing differently or what’s different on your end.
I guess the only difference I can observe is I login purely with
aws sso login--profile(though, I just tried w/ that and it worked fine)
c
clever-painter-96148
11/03/2021, 10:42 PMIrrespective of getting this to work, one thing I’ve seen as a pattern is along the lines of:Simple, efficient, I like this idea a lot! All my pulumi projects have multiple stacks (usually 1 per environment). I'll write a PoC using an account ID stored in the stack's config. Thanks!
I guess the only difference I can observe is I login purely withGuess that means "use the default profile"?without specifyingaws sso login--profile
Looking at what you’ve described so far, I’d expect that to work, so I’m not sure what I’m doing differently or what’s different on your end.Yep. Unfortunately, I have no idea how I could troubleshoot this further. I'm open to suggestions. 🙂
f
faint-table-42725
11/04/2021, 1:59 AMOne other thought: is this an old stack that used a previous version of the plugin?
c
clever-painter-96148
11/04/2021, 8:08 AMNope:
$ pulumi stack export | grep providers:aws:: | sort -u
"provider": "urn:pulumi:dev::yarn-monorepo-pulumi-lambda::pulumi:providers:aws::default_4_25_0::801f221c-0186-470c-bd95-87d67531d813",
"urn": "urn:pulumi:dev::yarn-monorepo-pulumi-lambda::pulumi:providers:aws::default_4_25_0",