AWSCLIv2 SSO Profiles don't apprear to work with awsume

[smacintyre]

Old v1 IAM profiles stored in ~/.aws/credentials work fine. However, while the v2 SSO profiles show up in the list command, when I try to run awsume on a v2 SSO profile, I get the following error:

❯ awsume -l
Listing...

========================AWS Profiles========================
PROFILE      TYPE  SOURCE  MFA?  REGION          ACCOUNT
default      User  None    No    ap-southeast-1  Unavailable
devops       User  None    No    ap-southeast-1  Unavailable
self         User  None    No    ap-southeast-1  Unavailable
[...]

❯ aws sso login --profile self
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.ap-southeast-1.amazonaws.com/

Then enter the code:

REDACTED
Successully logged into Start URL: https://REDACTED.awsapps.com/start

❯ awsume self
Awsume error: Invalid profile [self] Missing keys aws_access_key_id, aws_secret_access_key, or credential_source

Here is my ~/.aws/config file:

[profile self]
sso_start_url = https://REDACTED.awsapps.com/start
sso_region = ap-southeast-1
sso_account_id = REDACTED
sso_role_name = PowerUserAccess

region = ap-southeast-1
output = yaml

Am I doing something wrong, or are CLIv2 profiles not supported? Thank you!

[mbarneyjr]

AWS SSO profile are not yet supported, but we are investigating the best way to add support

[mbarneyjr]

AWS SSO profiles are indirectly supported through the recent support for the credential_process property on profiles. If you utilize this tool, awsume will be able to pull the credentials from that credential_process. We are still looking into implementing this natively though.

Support for the credential_process property can be found in pre release 4.5.0a1. I'll release that to 4.5.0 once I'm confident that this and a few other fixes implemented aren't broken. If you experience any issues with the pre release please update this issue or open a new one, thanks!

[smelchior]

@mbarneyjr thank you for adding support for this, this has really helped us :) and it has been working great with the 4.5.0a4 version.
Do you know when a new release will be available? This would make it easier to roll out the new version when it is available in brew directly.

[mbarneyjr]

4.5.0 has been released, sorry for the delay!

We're still deciding between supporting AWS SSO natively or recommending the use of that tool described above to work with awsume for AWS SSO support, so for the time being I'll leave this issue open

[urz9999]

In case like this one or other similar cases where AWS SSO result in incompatibilities with your library and you don't want to play with workarounds or complicated fixes, maybe you can give a try to our open-source project: https://github.com/Noovolari/leapp. It deals with AWS SSO authentication and accounts/roles retrieval then it creates short-lived temporary credentials in .aws/credentials to maximize compatibility with third party tools / sdks.

[eduardohki]

Hi @mbarneyjr,

We developed an internal python script to do what awsume does, but for AWS SSO Profiles.

What we basically do is to run the following with an existing SSO profile, and append it to a credentials file we add later to the env, like awsume does:

new_sso_role_creds = subprocess.run(
    [
        "aws",
        "sso",
        "get-role-credentials",
        "--profile",
        profile_name,
        "--role-name",
        sso_role_name,
        "--account-id",
        sso_account_id,
        "--access-token",
        sso_access_token,
        "--region",
        sso_region,
    ],
    stderr=subprocess.PIPE,
    stdout=subprocess.PIPE,
)

How hard is to implement something in the existing awsume codebase or a plugin?

I find the idea of using another tool for that not so nice, and would be willing to implement this.

Thanks!

[tairosonloa]

Any updates on this?

[tchiaspko]

Any update on this?

[francosalcedo]

updates?

[tchiaspko]

it works for me after adding this line to each profile
credential_process = aws-sso-credential-process --profile sso-profile-name

You can get aws-sso-credential-process from https://github.com/benkehoe/aws-sso-credential-process

[eduardohki]

@francosalcedo @tchiaspko I have eventually moved on from awsume into https://granted.dev/ - which is a much more better solution at this point.

[mgmarino]

Just to add my 2c, we have been using aws-sso-util (https://pypi.org/project/aws-sso-util/) together with awsume quite successfully. It works well both programmatically and from the command line.

aws-sso-util has many utilities to auto populate your profiles, etc.

[mtskillman]

note: this issue should be considered as a feature request for native support of SSO, as opposed to indirect support via credential_process property mentioned above by mbarneyjr.