Can't init org-formation using an SSO profile in CLI #538
Comments
|
Ok, For anybody's info, I've found a simple workaround for this that doesn't require setting up a permanent IAM user or resorting to using the root user. Using the AWS SSO access portal select your master account for which you should have AdministratorAccess permission, then select the 'Command line or programmatic access' link. Then select what platform you are using for your CLI. Then choose 'option 1 Set AWS environment variables (Short-term credentials)' copy and paste the environment variables into your CLI and run them. You will then effectively have a temporary IAM user profile. Running the org-formation init command will now work successfully! |
|
@keithrobbo you can use yawsso, this will help keeping the old world of profiles in sync with SSO profiles. |
Thanks @nlang I'll check that out. |
|
hi! another thing that might (or might not 🙈 ) help is: we are working on/ finalizing work on a new version that uses the aws-sdk v3. a lot has changed going from v2 to v3 (also in how credentials get resolved). you could give this a try installing version 1.0.12-beta.6 cc @rene84 |
Subject of the issue
Can't init org-formation using an SSO profile in CLI.
Your environment
Steps to reproduce
Configure AWS SSO in Windows CMD CLI. Log in using an SSO session and profile. Run the command to initialise org-formation and generate an organization.yml file e.g.: org-formation init organization.yml --region eu-central-1
Expected behaviour
There should be no errors and a file organization.yml generated locally in user folder.
Actual behaviour
2 examples (difference is in how profile is selected in CLI: 1. Profile set to default. 2. Profile explicitly added to command. Note that the profile used has full administrator access as an (AWS IAM Identity Centre user) to the management/root AWS account for AWS Organisations. The profile is able to successfully perform administrative tasks from the CLI such as e.g. creating and deleting S3 buckets, without any issue.
C:\Users\keith>set aws_profile=kmr-root
C:\Users\keith>org-formation init organization.yml --region eu-west-2
Error: ENOENT: no such file or directory, open 'C:\Users\keith.aws\credentials'
ERROR: unexpected error occurred...
EC2 Metadata roleName request returned error (use option --print-stack to print stack)
The error is true in that there is no 'credentials' file (or folder) in my .aws folder, just a file called config, which has all of the SSO profile and session configs.
C:\Users\keith>org-formation init organization.yml --region eu-west-2 --profile kmr-root
Error: No sso_start_url set for profile kmr-root
ERROR: unexpected error occurred...
Profile kmr-root did not include credential process (use option --print-stack to print stack)
Now I have used org-formation successfully before, but that was using the CLI with an IAM user profile, with regular access key credentials. Is the issue here that I am using an SSO profile? I don't really want to use the root user of the management AWS account, or have to create an admin IAM user, but is this something I will need to do for org-formation to actually work?
The text was updated successfully, but these errors were encountered: