New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bumping AWS GO SDK to 1.38.42 to fix AWS SSO auth woes #29017
Conversation
Any status on this PR? |
Could a maintainer please merge one of those ? @apparentlymart, @jbardin, @bflad ? |
I took care to determine what was the first version of the Go SDK to handle this properly. If I'm not mistaken then any version before the one I've upgraded to will not fix the issue. Therefore the other two PRs aren't duplicates of this one as they upgrade to versions prior to the one I've ugpraded to. |
Fair enough, just wanted to highlight that we wanted to upgrade this lib for months now in order to fix AWS SSO issues but nothing moved forward so far. |
Yeah, it'd be great if we could get this fixed. It'd be a small change for
HashiCorp but a huge leap for quite a few users of Terraform
Sylvain Rabot ***@***.***> schrieb am Do., 22. Juli 2021,
08:09:
… Fair enough, just wanted to highlight that we wanted to upgrade this lib
for months now in order to fix AWS SSO issues but nothing moved forward so
far.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#29017 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFCQ45YKGHSDJHH3DTY4RDTY6YYZANCNFSM47FU3NPQ>
.
|
Really waiting for this PR, there is a reason for the delay? |
@tombuildsstuff @mbfrahry @apparentlymart @jbardin @bflad, could one of you be kind enough to spare some time and review/merge this PR ? |
@hashicorp/terraform-aws |
…oth SSO config and credential_process at the same time
ty ♥ |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
AWS SSO is used in many organizations to authenticate users for access to their AWS accounts. It's the same scale organizations that would very likely also use Terraform to manage their infrastructure. However, proper support for using this authentication scheme landed in the CLI and SDKs only over time, with features like interactive re-authentication (as may be needed when temporary credentials expire) still not universally supported. It's because of this that many people, including myself, will configure their profiles in their local AWS config such that in addition to the SSO configuration, there is a
credential_process
, which provides backwards compatibility for applications not supporting SSO as well as helps trigger an interactive re-auth as needed (such as aws-sso-util).For a while the AWS GO SDK derived from the behaviour of all the other AWS SDKs when it comes to handling profiles with this configuration. This has been addressed in aws/aws-sdk-go #3763 and a fix to that merged in aws/aws-sdk-go PR#3763, which landed in aws/aws-sdk-go v1.38.42 and subsequently hashicorp/terraform-provider-aws v3.41.0.
However, this issue not only affected hashicorp/terraform-provider-aws (as initially brought up in #24133) but also affects Terraform itself, specifically when using AWS for storing the state, for example in S3. When using this common profile configuration of both SSO and
credential_process
simultaneously,terraform init
will - because of its outdated AWS GO SDK dependency - fail withThis pull requests is to bump this dependency to the minimum version needed to fix this issue and achieve consistent behaviour between Terraform itself and its AWS Provider as well compared to most other locally run tools that require AWS authentication.
FYI: The current workaround is to create a separate named profile with only a credentials_process configured to point to the actual SSO profile. This works but it also means essentially duplicating all required profiles which is far from ideal.