Hello everyone! Has anyone gotten Pulumi CLI working when working with AWS Identity Center (SSO). I am getting error:

Details: loading configuration: profile "value-dev" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

When I add the missing parameters, I get error:

Error: failed to refresh cached credentials, the SSO session has expired or is invalid: open /Users/my-user/.aws/sso/cache/5b4332413256eb7492af48c99f1ed4408c4ad28e.json: no such file or directory

.aws/config:

[profile value-dev]
sso_session = my-sso
sso_account_id = 12341234123
sso_role_name = PowerUserAccess
region = eu-north-1
output = json

[sso-session my-sso]
sso_start_url = <https://my-sso.awsapps.com/start>
sso_region = eu-west-1
sso_registration_scopes = sso:account:access

Some version details:

$ aws --version
aws-cli/2.9.4 Python/3.11.0 Darwin/21.6.0 source/arm64 prompt/off

$ pulumi version
v3.48.0

Any help on this is appreciated!

Not sure why you need 2 sections in the config, but I just have one:

[profile xxx]   
sso_start_url = <https://xxx.awsapps.com/start#/>
sso_region = ap-southeast-2
sso_account_id = 123456789
sso_role_name = AdministratorAccess
region = ap-southeast-2    
aws_account_id = xxx-sso

Works with any tool (awscli, pulumi, terraform)

Okay need to try it out. This is what aws sso configure command gives you.

im assuming youre setting the AWS_PROFILE="my-profile" environment variable, doing an aws sso login and then running pulumi ?

SSO creds are short-lived (I think 6 hours by default?) so you need to do

aws sso login --profile xxx

pretty often. Not sure about the complaints about the cache, though, I'd try to remove it if it still doesn't work. Maybe check if the directory /Users/my_user/.aws/sso/cache/ exists firstt

I have not actually set AWS_PROFILE explicitly, but it is configured in aws/config file. And Pulumi can find the profile, so I do not think this is the issue. Also, forgot to mention, but awscli is working fine with the sso profile

So this works but Pulumi doesn't? @future-receptionist-60599

aws --profile value-dev sts get-caller-identity

So, something weird just happened. I deleted all old configurations, and when I ran

aws configure sso

and left the

SSO session name

empy (as in the screenshot) it started working. Now both awscli and pulumi works. BUT If I try to destroy a already created stack created by manually creating a profile in `~/.aws/credentials`:

[806232589401_AdministratorAccess]
aws_access_key_id=<access_key>
aws_secret_access_key=<secret_key>
aws_session_token=<session_token>

The destroy does not work with those profiles created with

aws configure sso

, instead I get error:

error: 1 error occurred:
        * error retrieving account details: AWS account ID not previously found and failed retrieving via all available methods. See <https://www.terraform.io/docs/providers/aws/index.html#skip_requesting_account_id> for workaround and implications. Errors: 3 errors occurred:
        * failed getting account information via iam:GetUser: operation error IAM: GetUser, https response error StatusCode: 403, RequestID: c8c05dfc-6d04-4fc4-a3f9-d61b3ca98aa1, api error ExpiredToken: The security token included in the request is expired
        * error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 0967fe21-111a-4608-90f7-51f42afd87a0, api error ExpiredToken: The security token included in the request is expired
        * failed getting account information via iam:ListRoles: operation error IAM: ListRoles, https response error StatusCode: 403, RequestID: a28cce26-ac6d-464c-b10b-a411776f4878, api error ExpiredToken: The security token included in the request is expired