https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# general
s
This message was deleted.
b
Copy code
➜  api git:(master) ✗ cat ~/.aws/config
[profile mycompany-sitebuilder]
sso_start_url = <https://d-12345678.awsapps.com/start>
sso_region = us-west-2
sso_account_id = 12345678
sso_role_name = AdministratorAccess
region = us-west-2

➜  api git:(master) ✗ . awsjump mycompany-sitebuilder
Jumping into AWS profile mycompany-sitebuilder..
{
  "UserId": "AAAAAAAAAAAAAAAAAAAA:me@mycompany.com",
  "Account": "12345678",
  "Arn": "arn:aws:sts::12345678:assumed-role/AWSReservedSSO_AdministratorAccess_12345678/me@mycompany.com"
}

➜  api git:(master) ✗ aws s3 ls
2021-02-13 09:53:21 mycompany-sitebuilder-state-prod

➜  api git:(master) ✗ pulumi login --cloud-url "<s3://mycompany-sitebuilder-state-prod?region=us-west-2>"
Logged in to My-MacBook-Pro.local as me (<s3://mycompany-sitebuilder-state-prod?region=us-west-2>)

➜  api git:(master) ✗ pulumi stack ls
error: error listing stacks: could not list bucket: blob (code=Unknown): NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors

➜  api git:(master) ✗ echo $AWS_PROFILE
mycompany-sitebuilder
that 
awsjump
script just sets env vars and runs 
aws sts get-caller-identity
Copy code
➜  Development cat ~/bin/awsjump 
#!/bin/zsh
export AWS_PROFILE=$1
export AWS_DEFAULT_PROFILE=$1
echo "Jumping into AWS profile $1.."
OUT=$(aws sts get-caller-identity | jq)
echo $OUT
Copy code
➜  Development pulumi version
v2.20.0
if I use the WEB login for SSO, and use their "use CLI" instructions which simply set the credentials, then it works:
so it seems like the pulumi/boto internals don't support the AWS SSO profile method
b
hey @brave-angle-33257 as you mentioned, the AWS GO SDK doesn't support SSO yet, but I wrote a little helper tool to help you out https://github.com/jaxxstorm/aws-sso-creds
so you should be able to do
Copy code
aws sso login
eval $(aws-sso-creds export)
b
ah, thats awesome, thanks, I was just looking into 
aws-sso-credential-provider
for python, but doesn't seem to be working as advertised right now
seems like might be a good idea to run the export before all commands since the sso login will auto refresh, but not the exported creds, is that right?
b
it depends on how your SSO is set up, I generally login in once a day and then do the export and it gets me through our 8 hour expiry 🙂
b
yea, that would be ideal. I followed Google's docs to connect them via external IDP to AWS SSO, but I noticed they don't define how to extend the role time anywhere
b
aws vault also supports this btw https://github.com/99designs/aws-vault
b
ok cool, ill have a look at that also
previously with Gmail I had setup the users and their access on the gmail side, then passed in a value to the duration on login, but when reversing it and setting up the alllowed users on AWS SSO side, I haven't figured out how yet 😕
this made me laugh, it's totally what I was thinking in my head looking through the boto3 docs for 
get_role_credentials()
Copy code
aws sso get-role-credentials --role-name <SOME_ROLE_I_CANNOT_REMEMBER> --account-id <WHATS_MY_ACCOUNT_ID_AGAIN?> --access-token <I_HAVE_TO_LOOK_THIS_UP_IN_A_FILE_WHERE?>
b
😄
b
the IAM role created by AWS SSO inside of my target account does say 12 hours for max duration.. so I guess a easy way to test is export the env vars using your tool, go drink a few beers, and come run a command in a couple of hours and see what happens heh
🍻 1
it will either be 1 hour or 12 I'm assuming
b
@brave-angle-33257 if you do 
aws-sso-creds get
it'll tell you when they expire!
Copy code
These credentials will expire at: Sat Jun 18 01:53:20 PST 53092
b
ah! the gift that keeps on giving
im working on a little wrapper to do this all in one shot
hmm 
These credentials will expire at: Thu Sep 3 05:50:00 MST 53091
isn't that a little long out?
Copy code
➜  ~ env | grep AWS

➜  ~ cat ~/bin/awsso
#!/bin/zsh
export AWS_PROFILE=$1
echo "Jumping into AWS profile $1.."
eval $(aws-sso-creds export --profile $1)
aws sts get-caller-identity

➜  ~ . awsso mycompany-sitebuilder
Jumping into AWS profile mycompany-sitebuilder..
{
    "UserId": "AAAAAAAAAAAAAAAA:me@mycompany.com",
    "Account": "11111111111",
    "Arn": "arn:aws:sts::11111111111:assumed-role/AWSReservedSSO_AdministratorAccess_aaaaaaaaaaaa/me@mycompany.com"
}

➜  ~ env | grep AWS | wc -l
       4
b
that does seem a long time....
b
yea it can't be right
not for any temporary creds
and that role does say 12 hour max
but, if it's 12 hours, that would be ideal
i'll do the beer test
shit
Copy code
➜  ~ aws s3 ls

An error occurred (ExpiredToken) when calling the ListBuckets operation: The provided token has expired.
figured out how to set it.. you have to adjust the "permission sets" in AWS SSO, default is 1 hour
thanks for all your help @billowy-army-68599! this will work just fine for my dev purposes 🍻
i
fwiw I use this to use my AWS SSO login with Pulumi https://github.com/linaro-its/aws2-wrap
Open in Slack
PreviousNext
Powered by