ListAccountsAsync requires credentials for the underlying AmazonSSOClient even if provided with the access token #1744
Comments
luckerby
added
bug
|
Hi @luckerby, Good morning. Please confirm if AccessToken is the Azure access token. All Amazon SDK clients need credentials resolved to use the AWS Services, either via constructor or via predetermined resolution path (as mentioned in the documentation). Hence, as you mentioned, that could be the cause of the error. Thanks, |
ashishdhingra
added
response-requested
|
Putting the access token in a parser - such as https://jwt.io - shows that this is most likely an AWS-issued token. A decoded part is below (I've masked the id and guid seen).
My concern is why do I need to provide bogus credentials in order for the call to |
|
Hi @luckerby, I understand your concern about need to provide bogus credentials when trying to use access token. However, as documentation points out, all AWS Service clients require AWS credentials in some form or the other, before invoking any service operation. Please refer to aws/aws-tools-for-powershell#91 (comment) on how to use SSO access token to get temporary session credentials to access service clients. Hope that helps. Also, I'm not sure if it is related, there is also a feature request #1676 related to SSO. Thanks, |
ashishdhingra
added
response-requested
|
@ashishdhingra thanks for the links. I've actually been through both, but haven't registered in my mind the use of As for the second link - it's somehow related, as it would be eventually nice to get access to the various roles spread within various AWS accounts, and not have to manually open a browser window to have the authentication occur (thus retrieving the access token). But to be honest, this is outside the scope of my initial issue. |
|
@luckerby The Credential and profile resolution and service client constructor definition indicates the requirement of AWS credentials. The Configure AWS credentials in developer guide lists configuring AWS credentials as one of the steps. All the service clients in .NET SDK are wrappers for calling service API operations (some having custom implementation). To access the service API operations, it needs AWS credentials. Hope this helps. Thanks, |
ashishdhingra
added
response-requested
|
@ashishdhingra The second link only touches on the IAM users; for SSO ones, access keys can only be obtained per each role presented as a permission set within target AWS accounts. For the first link, I have to admit that I don't know how the process works in detail when federating AWS with AD FS, but when using Azure as the IdP for AWS SSO, the following is not yet applicable: "Temporary credentials are granted to the user automatically". I'm thinking that a simple note for this scenario, along the lines of "even if you present an access token, use a credential, even if it has to be an empty one", added to the documentation would help people in the future. |
|
Hi @luckerby, The section Using federated user account credentials on Credential and profile resolution provide details about setting up federated access using AWS Tools for Windows PowerShell, which involves creating a SAML role profile. There is also a blog post AWS Federated Authentication with Active Directory Federation Services (AD FS) which provides details about federated authentication. Hope this provides some valuable information. Kindly confirm if we could close this issue. Thanks, |
ashishdhingra
added
response-requested
|
@ashishdhingra - your call if you want to close it. My original concern still remains, that currently the fact that bogus credentials have to be used for the SSO SAML scenario is not clearly communicated. |
github-actions
bot
removed
the
response-requested
|
Hi @luckerby, The blog post Web Identity Federation using the AWS SDK for .NET mentions the use of Thanks, |
ashishdhingra
added
doc-developerguide
documentation
|
Hi @luckerby, Good morning. SSO credentials are supported in latest version of Thanks, |
ashishdhingra
added
the
response-requested
|
This issue has not recieved a response in 1 week. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled. |
github-actions
bot
added
closing-soon
I'm using an AWS organization that has SSO configured to use Azure as its IdP. There are multiple accounts in the organization.
I'm writing some C# code that - based on the access token a user has - retrieves the accounts the user has been granted rights to via permission sets. I'm using the
AmazonSSOClientclass within theAWSSDK.SSONuGet package. As I already have the user token, there's not really any need for credentials. However, trying to use anAmazonSSOClientconstructor that doesn't takeAWSCredentialsas parameter, and invoke theListAccountsAsyncmethod with the access token against it always results in an error that complains that EC2 instance metadata can't be retrieved.Digging further, I came across the "Credential and Profile Resolution" section here which led me to understand that the error I'm seeing is due to credentials not being found in any of the predetermined locations, and it finally errors out after step 8 in that link. However, for this particular instance - where the access token is already present and supplied via the
ListAccountsRequest'sAccessTokenproperty - there's no need for any credential.To work around the problem, I have to either specify some existing profile (which is not related in any way to the SSO service I'm trying to access) or use a bogus credential in the form of
new BasicAWSCredentials(null, null)and pass this toAmazonSSOClient' s constructor. This shouldn't be required though.Environment
AWSSDK.SSOversion3.5.0.37This is a 🐛 bug-report
The text was updated successfully, but these errors were encountered: