Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS SSO Named Profiles Support #5455

Closed
vikyol opened this issue Dec 17, 2019 · 56 comments
Closed

AWS SSO Named Profiles Support #5455

vikyol opened this issue Dec 17, 2019 · 56 comments
Labels
effort/large Large work item – several weeks of effort feature-request A feature should be added or improved. p1 package/tools Related to AWS CDK Tools or CLI
Projects

Comments

@vikyol
Copy link

vikyol commented Dec 17, 2019

AWS CLI v2 supports AWS SSO named profiles.

However, CDK CLI cannot resolve SSO named profiles yet.

$ cdk deploy --profile sso-named-profile

Unable to resolve AWS account to use. It must be either configured when you define your CDK or through the environment

Without this feature, users have to login to SSO user portal and fetch credentials for command line and CLI access, which needs to be repeated every time the credentials expire.

Even though CLI v2 is still in preview, it would be good to have this feature implemented for early adopters.

Use Case

  • Simplify deployments to multiple-accounts for AWS SSO users.

Proposed Solution

  • Read sso_start_url, sso_role_name and sso_account_id from ~/.aws/config file.
  • Fetch the accessToken in ~/.aws/sso/cache/ matching sso_start_url.
  • Fetch temporary credentials from STS using SSO.get-role-credentials() with accessToken, sso_account_id and sso_role_name parameters.

This is a 🚀 Feature Request

@vikyol vikyol added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Dec 17, 2019
@vikyol vikyol changed the title Support AWS SSO Named Profiles AWS SSO Named Profiles Support Dec 17, 2019
@SomayaB SomayaB added the package/tools Related to AWS CDK Tools or CLI label Dec 18, 2019
@shivlaks shivlaks added the effort/large Large work item – several weeks of effort label Feb 5, 2020
@SomayaB SomayaB removed the needs-triage This issue or PR still needs to be triaged. label Mar 5, 2020
@shivlaks
Copy link
Contributor

shivlaks commented Apr 18, 2020

@excavador @Douglas-Scott can you please represent your +1 as a reaction to the feature request to capture your interest in this being implemented. It helps make it searchable and doesn't clutter up the thread.

@ReidWeb
Copy link
Contributor

ReidWeb commented Apr 20, 2020

Given the CLI is now GA, and it seems a number of other users are facing this issue would it be possible to at least add a note to the docs indicating the lack of support at this time?

@ibex-dev
Copy link

ibex-dev commented May 6, 2020

As a temporary workaround, you can use the aws sso login feature to authenticate your CLI and export the retrieved access key ID, secret access key and session token as environment variables (json saved by default under ~/.aws/cli/cache/).
I wrote a quick bash wrapper for aws sso login that takes care of that. I invoke it once a day. If you don't feed a profile to CDK, it will look next for your env variables, so that does the trick.

@brainstorm
Copy link

brainstorm commented May 27, 2020

@ibex-dev Would you mind sharing that bash wrapper here? :)

@nspottsie
Copy link

nspottsie commented Jun 20, 2020

The mention from @victorskl above suggests using yawsso as a work around to sync the SSO credentials from ~/.aws/cli/cache to ~/.aws/credentials and it worked for me.

@beuleal
Copy link

beuleal commented Jun 25, 2020

I know its a bit old, but I'd like to contribute too.

I was facing the following error:
Unable to resolve AWS account to use. It must be either configured when you define your CDK or through the environment

I did a wrap for deploy into multiples account:

...
  console.log(` Setting Profile: ${account.name}`);
  let access_key = execSyncCmd(
    `aws configure get aws_access_key_id --profile ${account.name}`
  );

  let aws_secret_access_key = execSyncCmd(
    `aws configure get aws_secret_access_key --profile ${account.name}`
  );

  console.log(access_key);
  console.log(aws_secret_access_key);

  execSyncCmd(
    `aws configure set aws_access_key_id ${access_key} --profile default`
  );

  execSyncCmd(
    `aws configure set aws_secret_access_key ${aws_secret_access_key} --profile default`
  );

  execSyncCmd(`aws configure set region us-east-1 --profile default`);

  console.log(`[OK] Profile Set!`);

  execSyncCmd(`cdk deploy <stack-name> `);
...

@mateja82
Copy link

mateja82 commented Jun 25, 2020

Not sure if this helps anyone, but in my organization we use AWS SSO, with over 90 AWS Accounts, with MFA, so it was impossible to manage CDK without AWS SSO support. I found a way to solve it, so till its officially relesed, you can use this, it works quite all right: MatsCloud blog - CDK with AWS SSO multi account multi profile

@gnomeria
Copy link

gnomeria commented Aug 1, 2020

Actually when this issue => #3008 been resolved based on https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html, I think it could work. At least we have a more proper workaround. Been using https://github.com/benkehoe/aws-sso-credential-process to get the credential_process for deploying through terraform

@shivlaks shivlaks added this to needs RFC in CLI Aug 7, 2020
@shivlaks shivlaks added the p1 label Aug 7, 2020
@shortjared
Copy link
Contributor

shortjared commented Oct 21, 2020

Howdy all, we solved this with exactly the following for AWS SSO... apologies for the copypaste from our internal docs but it is the quickest way to share.

Setup

The primary way you’ll likely interact with your CDK apps and AWS is through the CLI.

We’ll need a few things installed in order for a smooth process, once you do this once, you are set up for life (or until you need a new machine, whichever comes first.)

Run these commands

brew install pipx
pipx ensurepath
pipx install aws-sso-credential-process
pipx install aws-export-credentials

Install AWS CLI v2… the v2 part is very important.

Add the following to you .zshrc or .bashrc or whatever.

export AWS_CONFIGURE_SSO_DEFAULT_SSO_START_URL=https://stedi-sso.awsapps.com/start
export AWS_CONFIGURE_SSO_DEFAULT_SSO_REGION=us-east-1
sso(){
  unset AWS_PROFILE
  export AWS_PROFILE=$1
  aws sts get-caller-identity &> /dev/null || aws sso login || (unset AWS_PROFILE && aws-configure-sso-profile --profile $1)
  eval $(aws-export-credentials --env-export)
}

Usage

In a new shell (after you’ve added the sso function), do a simple sso {yourteam}-dev. On the first time you do this for any new “profile” name, it will say it isn’t found and step you through an SSO process that will interact with your default browser.

The command will walk you through a series of questions that will allow the AWS profile to be configured locally.

The first thing you will see is something like “There are [some number] AWS accounts available to you. At some point, your browser will load a series of signin screens. Enter your password, etc. if you are not already authenticated. Once you are done, return to the CLI, where you will click the account that you would like to use. If there are multiple roles available to you, you will be asked to select a role.

Once you configure this for a profile, you never have to walk through the config process again. You have to log in once every X hours for a given role (depending on your org settigns), otherwise, the sso {yourteam}-dev will just drop right into those creds as well as source them into your environment.

Test that you are authenticated properly by issuing the following AWS command: aws s3 ls

Behind the scenes, this process is adding an entry to ~/.aws/config. You can always drop into that file with your favorite text editor and modify the configuration. If you later discover that you chose the wrong account or role you can remove the profile from this configuration file and repeat the above process again.

@pahud
Copy link
Contributor

pahud commented Oct 21, 2020

@shortjared Thanks for the sharing.

Instead of exposing the credentials in env var, I have another preferable approach to generate or refresh the ~/.aws/credentials instead.

https://github.com/pahud/gitpod-workspace/blob/main/utils/refresh_credentials.sh

And I use this approach to create my gitpod workspaces for aws cdk development with aws sso support.

@redbaron
Copy link
Contributor

redbaron commented Nov 28, 2020

It is possible to have "native" integration with the help of aws2-wrap

Here is my ~/.aws/config :

[profile mycorp-sso]
sso_start_url = https://d-*******.awsapps.com/start
sso_region = eu-west-1
sso_account_id = 99999999999
sso_role_name = AWSAdministratorAccess
region = eu-west-2

[profile mycorp]
credential_process = aws2-wrap --process --profile mycorp-sso
region = eu-west-1

You then use mycorp profile with CDK and visual studio code.

@ryan-mars
Copy link

ryan-mars commented Dec 7, 2020

I started using aws-sso-util which supersedes aws-sso-credential-process as recommended by @shortjared.

It is made by @benkehoe.
https://github.com/benkehoe/aws-sso-util

@urz9999
Copy link

urz9999 commented Jan 14, 2021

In case like this one or other similar cases where AWS SSO result in incompatibilities with your library and you don't want to play with workarounds or complicated fixes, maybe you can give a try to our open-source project: https://github.com/Noovolari/leapp. It deals with AWS SSO authentication and accounts/roles retrieval then it creates short-lived temporary credentials in .aws/credentials to maximize compatibility with third party tools / sdks.

@NGL321 NGL321 assigned rix0rrr and unassigned shivlaks Jan 25, 2021
@Stf-F
Copy link

Stf-F commented Mar 16, 2021

Hi, is there any plan to have a native support of AWS SSO with the CDK?
I used @redbaron recommendation and it worked like a charm but still feels like a hacky workaround.
Cheers

@hoegertn
Copy link
Contributor

hoegertn commented Mar 16, 2021

AFAIK the JS SDK does not support SSO so CDK cannot do it either. Credentials process is the only solution today to solve this.

@mrpackethead
Copy link

mrpackethead commented Nov 6, 2021

As it sits for me, all the workarounds for SSO, are significant friction, making it really unuseable.

@dbartholomae
Copy link
Contributor

dbartholomae commented Nov 7, 2021

For me, this got solved via AWS vault.

@chrichts
Copy link

chrichts commented Nov 19, 2021

@ericzbeard - is this something that's being considered at all? Are there blockers for implementing this that we just aren't aware of? This issue has been open for 2 years, so I just want to know if we should be looking for a more permanent workaround or if we can expect this to be implemented in the foreseeable future

@atkinson
Copy link

atkinson commented Nov 28, 2021

CDK isn't usable without SSO support.

At present, it's completely incompatible with orgs that use AWS Control Tower.

@mbergkvist
Copy link

mbergkvist commented Nov 28, 2021

CDK isn't usable without SSO support.

Sync your profiles with e.g. yawsso. Slightly inconvenient, but usable.

@paulrob-100
Copy link

paulrob-100 commented Jan 10, 2022

@rix0rrr please could you help us understand where this is on the various roadmaps?
I can see it in the CLI project in the "Needs RFC" column

I was hoping the CDK v2 would take the opportunity to upgrade to the AWS CDK for Javascript v3 which includes SSO support (see #5455 (comment)), however it's still using aws-sdk v2.
I'm assuming that's why the effort is marked as large here.

Could you indicate which of the RFCs, if any, plan to upgrade the SDK to v3?
Please could you help with the visibility of this feature request on the main roadmap? 🙏

@rob3c
Copy link

rob3c commented Jan 10, 2022

We've switched away from the IaC-unfriendly, rather opaque and inflexible Control Tower headache to the much nicer org-formation project for easier AWS Organizations multi-account management using IaC. It works well with SSO, and although it's originally (and still primarily) a direct CloudFormation tool, it has CDK support.

We deploy the CDK bootstrap template across org accounts using its declarative OrganizationBinding syntax, and there's an update-cdk task that deploys according to declared org account/OU patterns, applies temporary SSO credentials as the standard AWS environment variables, and lets you set parameters from across the org as CDK context variables. It also has the option of using custom deploy and remove commands if the defaults aren't sufficient.

If you're missing CDK SSO support and also looking for a nice, compliance-friendly way to manage your organization using Infrastructure-as-Code, it may be worth taking a look. It doesn't require a greenfield project, so you can also just point it at an existing org and give it a try.

@dannysteenman
Copy link

dannysteenman commented Jan 23, 2022

I wrote a small shell function that exports the temp credentials using aws-vault (brew install aws-vault) so you can run cdk commands using your sso profile. Just add the following function in your .zshrc:

# AWS Switch Profile
function awsprofile {
  if [[ -z "$1" ]]; then
    unset AWS_SDK_LOAD_CONFIG
    unset AWS_DEFAULT_PROFILE AWS_PROFILE AWS_EB_PROFILE
    unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SESSION_EXPIRATION
    echo AWS Profile cleared.
    return
  fi

  export AWS_SDK_LOAD_CONFIG=true
  export AWS_DEFAULT_PROFILE=$1
  export AWS_PROFILE=$1
  export AWS_EB_PROFILE=$1

  creds=$(mktemp -d)/creds.json
  aws-vault exec ${AWS_PROFILE} -- env | grep AWS >$creds
  export AWS_ACCESS_KEY_ID=$(cat ${creds} | grep "AWS_ACCESS_KEY_ID" | cut -d '=' -f 2)
  export AWS_SECRET_ACCESS_KEY=$(cat ${creds} | grep "AWS_SECRET_ACCESS_KEY" | cut -d '=' -f 2)
  export AWS_SESSION_TOKEN=$(cat ${creds} | grep "AWS_SESSION_TOKEN" | cut -d '=' -f 2)
  export AWS_SESSION_EXPIRATION=$(cat ${creds} | grep "AWS_SESSION_EXPIRATION" | cut -d '=' -f 2)
  echo "Switched to AWS Profile: ${AWS_PROFILE}"
}

Then just run the following in your shell:

awsprofile <sso_profile_name>

To stop your session run awsprofile.

If you're using a prompt like starship then it will also show the remaining time of the active credentials:

$ awsprofile test-account
Opening the SSO authorization page in your default browser (use Ctrl-C to abort)
Switched to AWS Profile: test-account
~ on  test-account (eu-west-1) [59m34s] took 14s

@RichiCoder1
Copy link
Contributor

RichiCoder1 commented Jan 23, 2022

I wrote a small shell function that exports the temp credentials using aws-vault (brew install aws-vault) so you can run cdk commands using your sso profile. Just add the following function in your .zshrc:

It's worth noting one of the reasons AWS Vault doesn't enable something like this by default is to not expose credentials unnecessarily. As mentioned above, the best (current) solution is SSO profiles combined with aws-vault's credential_process support which accomplishes effectively the same thing 😄.

[profile administrator-sso]
sso_start_url=https://aws-sso-portal.awsapps.com/start
sso_region=eu-west-1
sso_account_id=123456789012
sso_role_name=Administrator

[profile administrator]
credential_process = aws-vault exec administrator-sso --json
export AWS_PROFILE=administrator # or $env:AWS_PROFILE="administrator" for pwsh
cdk deploy

@automartin5000
Copy link

automartin5000 commented Jan 24, 2022

I wrote a small shell function that exports the temp credentials using aws-vault (brew install aws-vault) so you can run cdk commands using your sso profile. Just add the following function in your .zshrc:

It's worth noting one of the reasons AWS Vault doesn't enable something like this by default is to not expose credentials unnecessarily. As mentioned above, the best (current) solution is SSO profiles combined with aws-vault's credential_process support which accomplishes effectively the same thing 😄.

[profile administrator-sso]
sso_start_url=https://aws-sso-portal.awsapps.com/start
sso_region=eu-west-1
sso_account_id=123456789012
sso_role_name=Administrator

[profile administrator]
credential_process = aws-vault exec administrator-sso --json
export AWS_PROFILE=administrator # or $env:AWS_PROFILE="administrator" for pwsh
cdk deploy

Just tried this, and while I was able to get aws-vault exec working with AWS SSO, I couldn't get credential_process working. Kept getting The provided token has expired. Any ideas?

@RichiCoder1
Copy link
Contributor

RichiCoder1 commented Jan 24, 2022

Just tried this, and while I was able to get aws-vault exec working with AWS SSO, I couldn't get credential_process working. Kept getting The provided token has expired. Any ideas?

I don't know what does or doesn't cause aws-vault to automatically kick off the interactive login, but the fix for this is to aws sso login --profile <name-of-sso-profile> so --profile administrator-sso in this example. It's because the AWS CLI SSO Profile in question doesn't have cached credentials yet for that SSO account yet. If you have multiple SSO profiles sharing the same SSO account, this will login all of them in too FYI.

It's worth noting these cached credentials will also last for an hour by default, which you can tweak if you need via the duration_seconds configuration option: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#:~:text=credential_source%20%3D%20Ec2InstanceMetadata-,duration_seconds,-Specifies%20the%20maximum (you'd be setting this on the sso profile)

@spence95
Copy link

spence95 commented Feb 4, 2022

I was evaluating using CDK but due to this issue, I'm dumping it and just going back to plain CloudFormation.
This needs to be implemented natively with CDK.

@PatrykMilewski
Copy link

PatrykMilewski commented Feb 4, 2022

I was evaluating using CDK but due to this issue, I'm dumping it and just going back to plain CloudFormation. This needs to be implemented natively with CDK.

Lol man, don't do it to yourself, tools like Serverless Framework are way better for a lot of use cases comparing to CDK and in 2022 there is no valid argument to use plain CloudFormation

@automartin5000
Copy link

automartin5000 commented Feb 4, 2022

Yeah seems kinda extreme to completely dump a tool just avoid an extra npm install

@andreacavagna01
Copy link

andreacavagna01 commented Feb 4, 2022

I was evaluating using CDK but due to this issue, I'm dumping it and just going back to plain CloudFormation.

This needs to be implemented natively with CDK.

You can still use it by managing ur profiles and everything with Leapp https://github.com/Noovolari/leapp

@spence95
Copy link

spence95 commented Feb 4, 2022

in 2022 there is no valid argument to use plain CloudFormation

There's at least one, it integrates with SSO and lets you use --profile out of the box
¯\_(ツ)_/¯

@alistairstead
Copy link

alistairstead commented Feb 4, 2022

I switched to using aws-vault and this limitation is resolved

@ReidWeb
Copy link
Contributor

ReidWeb commented Feb 4, 2022

Can I suggest folks start a discussion if they're going to start debating the validity of approaches and alternatives, you're sending emails to at least 42 people every time you comment on this, and I really don't care for receiving emails for them

@polothy
Copy link
Contributor

polothy commented Mar 14, 2022

aws-sdk-js just released support for SSO: https://github.com/aws/aws-sdk-js/blob/master/CHANGELOG.md#210930

Hopefully that means CDK just needs to upgrade to this version for SSO support vs upgrading to v3.

@jessedoyle
Copy link

jessedoyle commented Mar 23, 2022

Hey guys! We recently moved to AWS SSO and are now encountering this issue.

The workarounds suggested are fine, but missing native support in CDK for SSO profiles is a huge oversight in my opinion.

Now that V2 of the AWS JS SDK supports SSO, hopefully this feature can get implemented soon!

@ann8ty
Copy link

ann8ty commented Mar 23, 2022

To overcome the issue, I have a cdk-login-env.sh script for every environment that looks kind of like this...the key for this problem is use of yawsso to copy the creds over.

`COLOR='\033[1;32m'
NC='\033[0m'

CDK_PROFILE_NAME='userconfigured'

echo "${COLOR}SSO Login for ${CDK_PROFILE_NAME} ${NC}"
aws sso login --profile $CDK_PROFILE_NAME

echo "${COLOR}Copy to v1 credentials with yawsso${NC}"
yawsso -p $CDK_PROFILE_NAME

echo "${COLOR}CDK Bootstrap confirmation${NC}"
cdk bootstrap --profile $CDK_PROFILE_NAME

echo "${COLOR}CDK Diff - Testing credential and stacks${NC}"
cdk diff --all --profile $CDK_PROFILE_NAME`

when working with multiple environments, instead of diff --all its stack name prefixes for that account

cdk diff "prefix-environment-*" --profile $CDK_PROFILE_NAME

@ChristopheBougere
Copy link
Contributor

ChristopheBougere commented Mar 23, 2022

Hey guys! We recently moved to AWS SSO and are now encountering this issue.

The workarounds suggested are fine, but missing native support in CDK for SSO profiles is a huge oversight in my opinion.

Now that V2 of the AWS JS SDK supports SSO, hopefully this feature can get implemented soon!

It looks like SSO support has been merged 2 days ago in PR #19454

I'd say we can expect it to be available for the next release 🤞

@jessecollier
Copy link

jessecollier commented Mar 29, 2022

This was just released in 2.18.0 and 1.150.0. Confirmed it's working for me now!

@peterwoodworth
Copy link
Contributor

peterwoodworth commented Mar 29, 2022

Thanks @jessecollier, you're right! Here's the PR #19454

@github-actions
Copy link

github-actions bot commented Mar 29, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@LarsFronius
Copy link
Contributor

LarsFronius commented Nov 18, 2022

@shortjared Thanks for the sharing.

Instead of exposing the credentials in env var, I have another preferable approach to generate or refresh the ~/.aws/credentials instead.

https://github.com/pahud/gitpod-workspace/blob/main/utils/refresh_credentials.sh

FYI: Any of the workarounds that continue to use the implicit trust behaviour of SSO created roles don't work anymore with new roles and will stop to work by 15th of February 2023 due to https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
effort/large Large work item – several weeks of effort feature-request A feature should be added or improved. p1 package/tools Related to AWS CDK Tools or CLI
Projects
No open projects
CLI
needs RFC
Development

No branches or pull requests