Invalid character '<' error when running aws-sso console against China AWS SSO

[deanmax]

Output of aws-sso version:

AWS SSO CLI Version 1.13.1 -- Copyright 2021-2023 Aaron Turner
7c08e58ad2a2c941bfa42ad98b0429f3fefa1ca7 (v1.13.1) built at 2023-08-28T23:03:47+0000

Describe the bug:

❯ aws-sso --sso=china console --account=1122334455 --role=CHINA-DEVOPS --duration=720
INFO    Opening URL in: default browser
INFO    Waiting for SSO authentication...
FATAL   Error running command: Error parsing Login response: invalid character '<' looking for beginning of value 

If it's first time login, an Authorization Request browser window will pop up correctly

However after you click "Allow", you'll see the above error in the terminal.

aws-sso --sso=default console --account=1122334455 --role=sso-devops -duration=720 works fine
aws-sso --sso=china eval --account=1122334455 --role=CHINA-DEVOPS works fine

To Reproduce:

1. Setup ~/.aws-sso/config.yaml as described
2. Run aws-sso --sso=china console --account=1122334455 --role=CHINA-DEVOPS --duration=720.

Expected behavior:
AWS console browser window popped up after running aws-sso console command

Screenshots:
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: macOS Ventura
• Version 13.5

Additional context:
Add any other context about the problem here.

Contents of ~/.aws-sso/config.yaml:

  SSOConfig:
    china:
      SSORegion: cn-north-1
      StartUrl: https://start.home.awsapps.cn/directory/xxx-sso (redacted)
      DefaultRegion: cn-north-1
    default:
      SSORegion: us-west-2
      StartUrl: https://xxxsso.awsapps.com/start
      DefaultRegion: us-west-2
  DefaultSSO: default
  UrlAction: open
  LogLevel: info
  HistoryLimit: 10
  HistoryMinutes: 1440

[synfinatic]

So best guess this is because aws-sso is submitting the request to the wrong AWS federation endpoint for China. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html

[synfinatic]

@deanmax I think this PR should fix this issue. I don't have access right now for .cn so I can't exactly reproduce your issue. If you feel like giving it a try and letting me know that would be great: #635

LMK if you'd like me to build you a binary and attach it to this ticket. Just let me know if you're on an Intel or ARM Mac.

[deanmax]

@deanmax I think this PR should fix this issue. I don't have access right now for .cn so I can't exactly reproduce your issue. If you feel like giving it a try and letting me know that would be great: #635

LMK if you'd like me to build you a binary and attach it to this ticket. Just let me know if you're on an Intel or ARM Mac.

replied in #635 (comment)

[synfinatic]

Yeah, this is specific to China regions. AWS claims Identity Center is available in China: https://aws.amazon.com/about-aws/whats-new/2023/09/aws-iam-identity-center-beijing-ningxia-regions/

But they don't actually list the endpoints for Beijing or Ningxia: https://docs.aws.amazon.com/general/latest/gr/sso.html

Irony of course is the latter is linked by the announcement saying this is where to find the new endpoints. :-/

Anyways, I'm going to have to open a support ticket with Amazon. My personal account is on the free tier and my company has no AWS China presence, so might take a while. If you have an Enterprise support contract with AWS, you might get a faster response if you ask them what are the Beijing/Ningxia IAM Identity Center endpoints.

[synfinatic]

@deanmax So I dug around the AWS docs and I think I found the info I need. It's not actually documented, on the AWS website as far as I can tell, but I've made a pretty good educated guess. If it doesn't work, log with --level trace and it will print the output from AWS in addition to the error.

There are probably other bugs hiding with the China/US Gov partitions though.

[deanmax]

@deanmax So I dug around the AWS docs and I think I found the info I need. It's not actually documented, on the AWS website as far as I can tell, but I've made a pretty good educated guess. If it doesn't work, log with --level trace and it will print the output from AWS in addition to the error.

There are probably other bugs hiding with the China/US Gov partitions though.

commented in #635