New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
'NoneType' object has no attribute 'get_frozen_token' when using new SSO session configuration #7496
Comments
Hi @zvickery - thanks for reaching out. I attempted to replicate the error on the same CLI version but wasn't able to reproduce the same behavior. Could you confirm that you've already run Please let me know if issue persists. |
Oh interesting. It does work if I do
With the new SSO profiles in use the In my opinion, Hopefully that all makes sense - this is kind of gnarly! |
I had this occur when I added a duplicate profile with access keys, and the existing profile was referencing a source_profile configured with sso.
|
I had this occur too when switching to the new sso session support, with AWS CLI 2.9.6. The
Then I do sso login on my default profile with I check access with
Then I do that for the profile using the role with
When using the older non-refreshable SSO token configuration, like below, it works without problem, using the same commands as above.
|
Exactly the same problem - the below configuration doesn't work when running [profile sso-role]
sso_session = sso
sso_account_id = yyyyyyyyyyyy
sso_role_name = sso-role
[profile assumed-role]
role_arn = arn:aws:iam::yyyyyyyyyyyy:role/assumed-role
source_profile = sso-role
[sso-session sso]
sso_start_url = https://xxxxxxxxxxxx.awsapps.com/start
sso_region = eu-central-1
sso_registration_scopes = sso:account:access due to the [profile sso-role]
sso_start_url = https://xxxxxxxxxxxx.awsapps.com/start
sso_region = eu-central-1
sso_registration_scopes = sso:account:access
sso_account_id = yyyyyyyyyyyy
sso_role_name = sso-role
[profile assumed-role]
role_arn = arn:aws:iam::yyyyyyyyyyyy:role/assumed-role
source_profile = sso-role |
Thank you all for reporting. We were able to reproduce this behavior and it's currently under investigation. I'm going to mark this as a bug and post updates as soon as we have them. |
Quick update here: our team member created this PR that fixes this issue and is now pending for review. I will check back in here once it's merged. |
|
Bumps [boto3](https://github.com/boto/boto3) from 1.26.60 to 1.26.76. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/boto/boto3/blob/develop/CHANGELOG.rst">boto3's changelog</a>.</em></p> <blockquote> <h1>1.26.76</h1> <ul> <li>api-change:<code>quicksight</code>: [<code>botocore</code>] S3 data sources now accept a custom IAM role.</li> <li>api-change:<code>resiliencehub</code>: [<code>botocore</code>] In this release we improved resilience hub application creation and maintenance by introducing new resource and app component crud APIs, improving visibility and maintenance of application input sources and added support for additional information attributes to be provided by customers.</li> <li>api-change:<code>securityhub</code>: [<code>botocore</code>] Documentation updates for AWS Security Hub</li> <li>api-change:<code>tnb</code>: [<code>botocore</code>] This is the initial SDK release for AWS Telco Network Builder (TNB). AWS Telco Network Builder is a network automation service that helps you deploy and manage telecom networks.</li> </ul> <h1>1.26.75</h1> <ul> <li>bugfix:SSO: [<code>botocore</code>] Fixes aws/aws-cli<code>[#7496](https://github.com/boto/boto3/issues/7496) <https://github.com/aws/aws-cli/issues/7496></code>__ by using the correct profile name rather than the one set in the session.</li> <li>api-change:<code>auditmanager</code>: [<code>botocore</code>] This release introduces a ServiceQuotaExceededException to the UpdateAssessmentFrameworkShare API operation.</li> <li>api-change:<code>connect</code>: [<code>botocore</code>] Reasons for failed diff has been approved by SDK Reviewer</li> </ul> <h1>1.26.74</h1> <ul> <li>api-change:<code>apprunner</code>: [<code>botocore</code>] This release supports removing MaxSize limit for AutoScalingConfiguration.</li> <li>api-change:<code>glue</code>: [<code>botocore</code>] Release of Delta Lake Data Lake Format for Glue Studio Service</li> </ul> <h1>1.26.73</h1> <ul> <li>api-change:<code>emr</code>: [<code>botocore</code>] Update emr client to latest version</li> <li>api-change:<code>grafana</code>: [<code>botocore</code>] With this release Amazon Managed Grafana now supports inbound Network Access Control that helps you to restrict user access to your Grafana workspaces</li> <li>api-change:<code>ivs</code>: [<code>botocore</code>] Doc-only update. Updated text description in DeleteChannel, Stream, and StreamSummary.</li> <li>api-change:<code>wafv2</code>: [<code>botocore</code>] Added a notice for account takeover prevention (ATP). The interface incorrectly lets you to configure ATP response inspection in regional web ACLs in Region US East (N. Virginia), without returning an error. ATP response inspection is only available in web ACLs that protect CloudFront distributions.</li> </ul> <h1>1.26.72</h1> <ul> <li>api-change:<code>cloudtrail</code>: [<code>botocore</code>] This release adds an InsufficientEncryptionPolicyException type to the StartImport endpoint</li> <li>api-change:<code>efs</code>: [<code>botocore</code>] Update efs client to latest version</li> <li>api-change:<code>frauddetector</code>: [<code>botocore</code>] This release introduces Lists feature which allows customers to reference a set of values in Fraud Detector's rules. With Lists, customers can dynamically manage these attributes in real time. Lists can be created/deleted and its contents can be modified using the Fraud Detector API.</li> <li>api-change:<code>glue</code>: [<code>botocore</code>] Fix DirectJDBCSource not showing up in CLI code gen</li> <li>api-change:<code>privatenetworks</code>: [<code>botocore</code>] This release introduces a new StartNetworkResourceUpdate API, which enables return/replacement of hardware from a NetworkSite.</li> <li>api-change:<code>rds</code>: [<code>botocore</code>] Database Activity Stream support for RDS for SQL Server.</li> <li>api-change:<code>wafv2</code>: [<code>botocore</code>] For protected CloudFront distributions, you can now use the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group to block new login attempts from clients that have recently submitted too many failed login attempts.</li> </ul> <h1>1.26.71</h1> <ul> <li>api-change:<code>appconfig</code>: [<code>botocore</code>] AWS AppConfig now offers the option to set a version label on hosted configuration versions. Version labels allow you to identify specific hosted configuration versions based on an alternate versioning scheme that you define.</li> <li>api-change:<code>datasync</code>: [<code>botocore</code>] With this launch, we are giving customers the ability to use older SMB protocol versions, enabling them to use DataSync to copy data to and from their legacy storage arrays.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/boto/boto3/commit/46e333480221abb6973cb62498ca9bc93c203994"><code>46e3334</code></a> Merge branch 'release-1.26.76'</li> <li><a href="https://github.com/boto/boto3/commit/58a531f85c27dafa848e61007831f46e811077fd"><code>58a531f</code></a> Bumping version to 1.26.76</li> <li><a href="https://github.com/boto/boto3/commit/d7c625a7218c7b284832c4eea70f2d3618157a85"><code>d7c625a</code></a> Add changelog entries from botocore</li> <li><a href="https://github.com/boto/boto3/commit/591a99c7e8ba1df0d2ce72ce43116d770932f171"><code>591a99c</code></a> Merge branch 'release-1.26.75'</li> <li><a href="https://github.com/boto/boto3/commit/0948e0a71fbd47f0e749cc3fd9cf557002f627d9"><code>0948e0a</code></a> Merge branch 'release-1.26.75' into develop</li> <li><a href="https://github.com/boto/boto3/commit/f9d4196e6f96f1ce65b9b2a0e933923faa3cc8ee"><code>f9d4196</code></a> Bumping version to 1.26.75</li> <li><a href="https://github.com/boto/boto3/commit/dcf1cada79743b28356f11b8c16ea27dc34ba645"><code>dcf1cad</code></a> Add changelog entries from botocore</li> <li><a href="https://github.com/boto/boto3/commit/2f0af3bcc01baaa0d062d04c7262a05bb22c10a4"><code>2f0af3b</code></a> Merge branch 'release-1.26.74'</li> <li><a href="https://github.com/boto/boto3/commit/df09e800f85c9041e18c50ad316170826fc27b82"><code>df09e80</code></a> Merge branch 'release-1.26.74' into develop</li> <li><a href="https://github.com/boto/boto3/commit/ba3f55c27f2796b75b62f48e91cb774166b51f58"><code>ba3f55c</code></a> Bumping version to 1.26.74</li> <li>Additional commits viewable in <a href="https://github.com/boto/boto3/compare/1.26.60...1.26.76">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=boto3&package-manager=pip&previous-version=1.26.60&new-version=1.26.76)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Facing the same problem with aws-cli/2.9.15. I see the MR has been approved and merged?. Can someone update here what would the fixed CLI version for this issue? |
Hi @krishansrimal, the commit with the relevant patch was introduced in version 2.10.2. |
Describe the bug
I am attempting to use the new SSO session configuration in conjunction with CLI profiles that are IAM roles. If I do this, I get the below error when running any AWS command:
Expected Behavior
The AWS CLI works as expected with the "legacy" SSO configuration format (no sessions):
Current Behavior
Here is debug logging from running this. Note that the role configuration looks like below:
CLI debug logs:
Reproduction Steps
Any AWS CLI command should work to repro. The key is having the "session-ized" SSO configuration from above:
Possible Solution
I suspect the logic just needs to be session-aware?
Additional Information/Context
No response
CLI version used
CLI version: aws-cli/2.9.3 Python/3.11.0 Darwin/21.6.0 source/arm64
Environment details (OS name and version, etc.)
MacOS 12.6.1, awscli installed with brew. arm64 architecture
The text was updated successfully, but these errors were encountered: