-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Obtain credentials from cli/cache
json file
#3186
Comments
I'm encountering the same thing, using Terragrunt. I'm trying to use: AWS_PROFILE=named_sso_profile terragrunt apply which fails to work, as noted in the linked issue, with a It'd be great to know if there's an estimated timeline for integrating SSO profiles into the Go SDK credentials chain, or if there's a suggested workaround in the meantime? |
I've been bitten by this issue as well when migrating to AWS CLI v2. I was hoping to have an experience similar to Unfortunately that breaks pretty much everything that uses credential chains. @dylburger my current workaround is the same one @psaffrey-origami described, a small script that gets the temporary creds from the json and push to my environment.
+1 |
You can use my tool aws-sso-credential-provider to enable AWS SSO integration with the Go SDK while we wait for proper integration. |
if you won't want to rely on python system dependencies, here's a similar credential provider in go: https://github.com/flyinprogrammer/aws-sso-fetcher |
Can I try my hands on this? |
This might be closable by this? |
|
Is this related to a problem?
Going upstream after creating this: kubernetes-sigs/aws-iam-authenticator#296
Feature description
Describe what you want to happen.
If you use AWS CLI 2.0 SSO integration, you don't end up with credentials stored either in environment variables or a shared credentials file in
$HOME/.aws/credentials
. What you do get is a json file in$HOME/.aws/sso/cache/
with an access token. The first time you run AWS CLI command it produces another json file in$HOME/.aws/cli/cache
that contains anAccessKeyId
,SecretAccessKey
andSessionToken
that (if converted into environment variables or acredentials
file) can be used to run CLI commands. These are needed byaws-iam-authenticator
to connect tok8s
.What I'm after is for these cache files to be natively supported by the SDK so that if I build
aws-iam-authenticator
against it, it will "just work" without me having to monkey around with these cache files directly.Describe alternatives you've considered
I wrote a script that converts the
cli/cache/*.json
file tocredentials
, but it's annoying to have this script in there. Also, the json file has a 40 character name in hex and I'm not sure where that comes from, so my script approach seems a bit fragile.As described in kubernetes-sigs/aws-iam-authenticator#296, I also looked into some issues that looked related but I think they are about slightly different things.
Additional context
We are a little surprised that nobody else has encountered this problem and as always, perhaps we're doing something wrong :( I'm not sure whether this SSO integration is new to AWS CLI 2.0 and there's just some lag in introducing this feature...? Or whether we're supposed to integrate against SSO in some other way?
The text was updated successfully, but these errors were encountered: