-
Notifications
You must be signed in to change notification settings - Fork 614
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSO authentication not working #2295
Comments
It seems that this is an issue caused by the way we create an AWS client: nextflow/plugins/nf-amazon/src/main/nextflow/cloud/aws/AmazonClientFactory.groovy Lines 99 to 125 in f2f1fde
I'm sure there's a better way to do this by just deferring to the default AWS library for this, but I'm not 100% sure how to go about this. |
A java based example showing how AWS SSO is expected to work could be useful in this context. |
Sure. The SDK integration tests are located here: https://github.com/aws/aws-sdk-java-v2/tree/master/services/sso/src/test/java/software/amazon/awssdk/services/sso/auth. The most useful example is probably this one: |
But this does not use AWS keys at all! |
No it doesn't, I think that's kind of the point. It's like OAuth wherein each user signs in using the browser and then it gives you back a token which is stored in |
I would say this can be solved in two steps. The first, easier step is just getting nextflow to understand SSO credentials obtained from the web console. These are regular credential sets, with an access key, secret key and session token. This corresponds to my first dot point. I'm a bit surprised this doesn't work already, actually, and I think it might relate to the fact that we're only using the 1.X SDK instead of 2.X which likely supports this kind of auth: nextflow/plugins/nf-amazon/build.gradle Lines 41 to 46 in f2f1fde
However these credentials will expire very rapidly, which is annoying for users, so as the second step it is worth considering a full SSO auth client which is demonstrated in the above links. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Are there any plans to address this? |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
I have some interest in adding this feature. Would it be ok to pick it up? or someone already has it in their todo? |
We recently improved a lot the auth logic for AWS, but SSO is still missing (unless it's included in the default credentials chain) nextflow/plugins/nf-amazon/src/main/nextflow/cloud/aws/AwsClientFactory.groovy Lines 266 to 282 in c0968c3
Feel free to provide a PR |
This may be doable using the AWS SDK v2 to sign-in and writing an adapter to authenticate the AWS client based on SDK v1, as described here |
Bug report
AWS recently added a new method of authentication: https://aws.amazon.com/single-sign-on/. However almost none of the methods AWS provides to authenticate work with Nextflow
Expected behavior and actual behavior
The AWS Access Key Id you provided does not exist in our records. (Service: Amazon S3; Status Code: 403; Error Code: InvalidAccessKeyId; Request ID: XXXXXXXXXXXXXX; S3 Extended Request ID: XXXXXXXXXXXXXXXX)
aws_access_key_id
andaws_secret_access_key
in the credentials fileaws configure sso
, which creates a kind of special AWS profile that does not have an access key or id in this form, but instead has the fieldsso_start_url
. Here nextflow gives meMissing AWS security credentials -- Provide access/security keys pair or define a IAM instance profile (suggested)
nextflow
also doesn't let you provide the credentials on the command line for some reason I don't understand. e.g.nextflow run foo.nf -aws.accessKey XXXXXXXX -aws.secretKey YYYYYYYYY
. This givesUnknown option: -aws.accessKey
.Steps to reproduce the problem
Program output
See above.
Environment
21.04.0
1.8.0_152-release-1056-b12
5.1.4
The text was updated successfully, but these errors were encountered: