New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(cli): SSO credential flow does not work with $AWS_CA_BUNDLE #21328
Comments
Right now, HTTP options like proxy and cacerts apply to specific SDK instances we create:
However, to do SSO calls the credential provider creates a new instance which doesn't have these HTTP options applied: That code should have been written to match the AssumeRole code, taking and copying We can also globally configure the HTTP options instead of per-instance. That will probably break the tests. |
Contingent on this being fixed first: aws/aws-sdk-js#4195 |
Passes `httpOptions` through to the SDK, which now recognizes `httpOptions`. Enables SSO to work with proxies. This was tested manually. Fixes #21328. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Passes `httpOptions` through to the SDK, which now recognizes `httpOptions`. Enables SSO to work with proxies. This was tested manually. Fixes aws#21328. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Passes `httpOptions` through to the SDK, which now recognizes `httpOptions`. Enables SSO to work with proxies. This was tested manually. Fixes aws#21328. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Describe the bug
When using the CDK CLI with the
$AWS_CA_BUNDLE
environment variable set, pointing to a validcacert.pem
file with the default AWS CLI certificates + corporate certificates for SSL inspection, the commands does not work when the credentials used comes from the SSO implementation.cdk doctor correctly identifies the variable is set.
On a corporate network with SSL Inspection (ZScaler) and
$AWS_CA_BUNDLE
correctly configured in the shell.Running any AWS CLI command using SSO credentials work.
Running CDK CLI commands such as
diff
anddeploy
using exported temporary credentials works.Running CDK CLI commands such as
diff
anddeploy
using SSO credentials does not work.Outside a corporate network with no SSL Inspection.
Running any AWS CLI command using SSO credentials work.
Running CDK CLI commands such as
diff
anddeploy
using exported temporary credentials works.Running CDK CLI commands such as
diff
anddeploy
using SSO credentials does works.Expected Behavior
Having
$AWS_CA_BUNDLE
correctly configured in the shell that runs the CKD CLI commands, the SSO Credential implementation should respect the$AWS_CA_BUNDLE
parameter when calling endpoints.Current Behavior
When running any commands with the CDK CLIs implementation of using SSO credential as the credential source will result in an error that seems to be caused by the implementation not respecting
$AWS_CA_BUNDLE
parameters.Reproduction Steps
This requires a network with SSL inspection enabled to test and validate, as well as a cacert.pem file with the CA used by the SSL Inspection/Interfering network appliance included in the .pem file with the rest of the default certificates that the AWS CLI ships with.
Setup:
/usr/share/aws-cli/v2/2.7.16/dist/awscli/botocore/cacert.pem
~/certs/cacert.pem
Configure an SSO profile using the AWS CLI:
Validate SSL issues.
aws sso login --profile SSO-TEST
SSL validation failed for <endpoint_url> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed.
Validate working with CA Bundle
export AWS_CA_BUNDLE="~/certs/cacert.pem"
aws sso login --profile SSO-TEST
Should prompt for SSO login through normal IDP / Browser flow.
Now test with a CDK app
cdk deploy --profile SSO-TEST
This fails even though AWS_CA_BUNDLE works for the CLI.
Using exported temporary credentials should work fine.
export AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY
export AWS_SESSION_TOKEN
Same using credentials or credential helper in the
~/.aws/credentials
file.In my testing it seems to be only using an SSO profile from the
~/.aws/config
file which can be applied by using thecdk deploy --profile
command or by setting the$AWS_PROFILE
environment variable in the shell that does not work.Possible Solution
Making sure that the implementation from PR: #19454 is fixed to work with
$AWS_CA_BUNDLE
.Additional Information/Context
As mentioned the AWS CLI and related tools that requires the
$AWS_CA_BUNDLE
works fine.CDK CLI also works fine with
$AWS_CA_BUNDLE
as long as the credentials used are not SSO credentials but are in the credentials file, exported to environment variables using AWS_ACCESS_KEY_ID etc.CDK CLI Version
2.33.0 (build 859272d)
Framework Version
No response
Node.js Version
v16.16.0 (LTS)
OS
ArchLinux
Language
Typescript
Language Version
No response
Other information
Stack Trace when using
$AWS_CA_BUNDLE
inside corp network with SSL inspection enabled.Stack trace outside corp network with no
$AWS_CA_BUNDLE
enabled:The text was updated successfully, but these errors were encountered: