Obtain credentials from cli/cache json file

[psaffrey-origami]

Is this related to a problem?

Going upstream after creating this: kubernetes-sigs/aws-iam-authenticator#296

Feature description

Describe what you want to happen.

If you use AWS CLI 2.0 SSO integration, you don't end up with credentials stored either in environment variables or a shared credentials file in $HOME/.aws/credentials. What you do get is a json file in $HOME/.aws/sso/cache/ with an access token. The first time you run AWS CLI command it produces another json file in $HOME/.aws/cli/cache that contains an AccessKeyId, SecretAccessKey and SessionToken that (if converted into environment variables or a credentials file) can be used to run CLI commands. These are needed by aws-iam-authenticator to connect to k8s.

What I'm after is for these cache files to be natively supported by the SDK so that if I build aws-iam-authenticator against it, it will "just work" without me having to monkey around with these cache files directly.

Describe alternatives you've considered

I wrote a script that converts the cli/cache/*.json file to credentials, but it's annoying to have this script in there. Also, the json file has a 40 character name in hex and I'm not sure where that comes from, so my script approach seems a bit fragile.

As described in kubernetes-sigs/aws-iam-authenticator#296, I also looked into some issues that looked related but I think they are about slightly different things.

Additional context

We are a little surprised that nobody else has encountered this problem and as always, perhaps we're doing something wrong :( I'm not sure whether this SSO integration is new to AWS CLI 2.0 and there's just some lag in introducing this feature...? Or whether we're supposed to integrate against SSO in some other way?

[dylburger]

I'm encountering the same thing, using Terragrunt. I'm trying to use:

AWS_PROFILE=named_sso_profile terragrunt apply

which fails to work, as noted in the linked issue, with a NoCredentialProviders error.

It'd be great to know if there's an estimated timeline for integrating SSO profiles into the Go SDK credentials chain, or if there's a suggested workaround in the meantime?

[CarlosDomingues]

I've been bitten by this issue as well when migrating to AWS CLI v2. I was hoping to have an experience similar to az login - getting temporary credentials for programmatic access using a strong authentication method.

Unfortunately that breaks pretty much everything that uses credential chains.

@dylburger my current workaround is the same one @psaffrey-origami described, a small script that gets the temporary creds from the json and push to my environment.

We are a little surprised that nobody else has encountered this problem and as always, perhaps we're doing something wrong :( I'm not sure whether this SSO integration is new to AWS CLI 2.0 and there's just some lag in introducing this feature...? Or whether we're supposed to integrate against SSO in some other way?

+1

[benkehoe]

You can use my tool aws-sso-credential-provider to enable AWS SSO integration with the Go SDK while we wait for proper integration.

[flyinprogrammer]

if you won't want to rely on python system dependencies, here's a similar credential provider in go: https://github.com/flyinprogrammer/aws-sso-fetcher

[goku321]

Can I try my hands on this?

[sidewinder12s]

This might be closable by this?

#3755

[skmcgrail]

Support for AWS SSO been added as part of #3755 and was released in v1.37.0. As such I am going to close this issue, but if you encounter any issues with the new provider please create a new GitHub issue so our team can investigate.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.