AWS SSO Named Profiles Support #5455
Comments
vikyol
added
feature-request
|
@excavador @Douglas-Scott can you please represent your |
|
Given the CLI is now GA, and it seems a number of other users are facing this issue would it be possible to at least add a note to the docs indicating the lack of support at this time? |
|
As a temporary workaround, you can use the |
|
@ibex-dev Would you mind sharing that bash wrapper here? :) |
|
The mention from @victorskl above suggests using yawsso as a work around to sync the SSO credentials from ~/.aws/cli/cache to ~/.aws/credentials and it worked for me. |
|
I know its a bit old, but I'd like to contribute too. I was facing the following error: I did a wrap for deploy into multiples account: |
|
Not sure if this helps anyone, but in my organization we use AWS SSO, with over 90 AWS Accounts, with MFA, so it was impossible to manage CDK without AWS SSO support. I found a way to solve it, so till its officially relesed, you can use this, it works quite all right: MatsCloud blog - CDK with AWS SSO multi account multi profile |
|
Actually when this issue => #3008 been resolved based on https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html, I think it could work. At least we have a more proper workaround. Been using https://github.com/benkehoe/aws-sso-credential-process to get the credential_process for deploying through terraform |
|
Howdy all, we solved this with exactly the following for AWS SSO... apologies for the copypaste from our internal docs but it is the quickest way to share. SetupThe primary way you’ll likely interact with your CDK apps and AWS is through the CLI. We’ll need a few things installed in order for a smooth process, once you do this once, you are set up for life (or until you need a new machine, whichever comes first.) Run these commands brew install pipx
pipx ensurepath
pipx install aws-sso-credential-process
pipx install aws-export-credentialsInstall AWS CLI v2… the v2 part is very important. Add the following to you export AWS_CONFIGURE_SSO_DEFAULT_SSO_START_URL=https://stedi-sso.awsapps.com/start
export AWS_CONFIGURE_SSO_DEFAULT_SSO_REGION=us-east-1
sso(){
unset AWS_PROFILE
export AWS_PROFILE=$1
aws sts get-caller-identity &> /dev/null || aws sso login || (unset AWS_PROFILE && aws-configure-sso-profile --profile $1)
eval $(aws-export-credentials --env-export)
}UsageIn a new shell (after you’ve added the sso function), do a simple The command will walk you through a series of questions that will allow the AWS profile to be configured locally. The first thing you will see is something like “There are [some number] AWS accounts available to you. At some point, your browser will load a series of signin screens. Enter your password, etc. if you are not already authenticated. Once you are done, return to the CLI, where you will click the account that you would like to use. If there are multiple roles available to you, you will be asked to select a role. Once you configure this for a profile, you never have to walk through the config process again. You have to log in once every X hours for a given role (depending on your org settigns), otherwise, the Test that you are authenticated properly by issuing the following AWS command: Behind the scenes, this process is adding an entry to |
|
@shortjared Thanks for the sharing. Instead of exposing the credentials in env var, I have another preferable approach to generate or refresh the https://github.com/pahud/gitpod-workspace/blob/main/utils/refresh_credentials.sh And I use this approach to create my gitpod workspaces for aws cdk development with aws sso support. |
|
It is possible to have "native" integration with the help of aws2-wrap Here is my You then use |
|
I started using It is made by @benkehoe. |
|
In case like this one or other similar cases where AWS SSO result in incompatibilities with your library and you don't want to play with workarounds or complicated fixes, maybe you can give a try to our open-source project: https://github.com/Noovolari/leapp. It deals with AWS SSO authentication and accounts/roles retrieval then it creates short-lived temporary credentials in .aws/credentials to maximize compatibility with third party tools / sdks. |
|
Hi, is there any plan to have a native support of AWS SSO with the CDK? |
|
AFAIK the JS SDK does not support SSO so CDK cannot do it either. Credentials process is the only solution today to solve this. |
|
The JS SDK v3 implemented support for AWS SSO but as far as I can tell it has not shipped yet |
|
For me, this got solved via AWS vault. |
|
@ericzbeard - is this something that's being considered at all? Are there blockers for implementing this that we just aren't aware of? This issue has been open for 2 years, so I just want to know if we should be looking for a more permanent workaround or if we can expect this to be implemented in the foreseeable future |
|
CDK isn't usable without SSO support. At present, it's completely incompatible with orgs that use AWS Control Tower. |
Sync your profiles with e.g. yawsso. Slightly inconvenient, but usable. |
|
@rix0rrr please could you help us understand where this is on the various roadmaps? I was hoping the CDK v2 would take the opportunity to upgrade to the AWS CDK for Javascript v3 which includes SSO support (see #5455 (comment)), however it's still using aws-sdk v2. Could you indicate which of the RFCs, if any, plan to upgrade the SDK to v3? |
|
We've switched away from the IaC-unfriendly, rather opaque and inflexible Control Tower headache to the much nicer org-formation project for easier AWS Organizations multi-account management using IaC. It works well with SSO, and although it's originally (and still primarily) a direct CloudFormation tool, it has CDK support. We deploy the CDK bootstrap template across org accounts using its declarative OrganizationBinding syntax, and there's an update-cdk task that deploys according to declared org account/OU patterns, applies temporary SSO credentials as the standard AWS environment variables, and lets you set parameters from across the org as CDK context variables. It also has the option of using custom deploy and remove commands if the defaults aren't sufficient. If you're missing CDK SSO support and also looking for a nice, compliance-friendly way to manage your organization using Infrastructure-as-Code, it may be worth taking a look. It doesn't require a greenfield project, so you can also just point it at an existing org and give it a try. |
|
I wrote a small shell function that exports the temp credentials using # AWS Switch Profile
function awsprofile {
if [[ -z "$1" ]]; then
unset AWS_SDK_LOAD_CONFIG
unset AWS_DEFAULT_PROFILE AWS_PROFILE AWS_EB_PROFILE
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SESSION_EXPIRATION
echo AWS Profile cleared.
return
fi
export AWS_SDK_LOAD_CONFIG=true
export AWS_DEFAULT_PROFILE=$1
export AWS_PROFILE=$1
export AWS_EB_PROFILE=$1
creds=$(mktemp -d)/creds.json
aws-vault exec ${AWS_PROFILE} -- env | grep AWS >$creds
export AWS_ACCESS_KEY_ID=$(cat ${creds} | grep "AWS_ACCESS_KEY_ID" | cut -d '=' -f 2)
export AWS_SECRET_ACCESS_KEY=$(cat ${creds} | grep "AWS_SECRET_ACCESS_KEY" | cut -d '=' -f 2)
export AWS_SESSION_TOKEN=$(cat ${creds} | grep "AWS_SESSION_TOKEN" | cut -d '=' -f 2)
export AWS_SESSION_EXPIRATION=$(cat ${creds} | grep "AWS_SESSION_EXPIRATION" | cut -d '=' -f 2)
echo "Switched to AWS Profile: ${AWS_PROFILE}"
}Then just run the following in your shell: awsprofile <sso_profile_name>To stop your session run If you're using a prompt like $ awsprofile test-account
Opening the SSO authorization page in your default browser (use Ctrl-C to abort)
Switched to AWS Profile: test-account
~ on test-account (eu-west-1) [59m34s] took 14s |
It's worth noting one of the reasons AWS Vault doesn't enable something like this by default is to not expose credentials unnecessarily. As mentioned above, the best (current) solution is SSO profiles combined with [profile administrator-sso]
sso_start_url=https://aws-sso-portal.awsapps.com/start
sso_region=eu-west-1
sso_account_id=123456789012
sso_role_name=Administrator
[profile administrator]
credential_process = aws-vault exec administrator-sso --jsonexport AWS_PROFILE=administrator # or $env:AWS_PROFILE="administrator" for pwsh
cdk deploy |
Just tried this, and while I was able to get |
I don't know what does or doesn't cause aws-vault to automatically kick off the interactive login, but the fix for this is to It's worth noting these cached credentials will also last for an hour by default, which you can tweak if you need via the |
|
I was evaluating using CDK but due to this issue, I'm dumping it and just going back to plain CloudFormation. |
Lol man, don't do it to yourself, tools like Serverless Framework are way better for a lot of use cases comparing to CDK and in 2022 there is no valid argument to use plain CloudFormation |
|
Yeah seems kinda extreme to completely dump a tool just avoid an extra npm install |
You can still use it by managing ur profiles and everything with Leapp https://github.com/Noovolari/leapp |
There's at least one, it integrates with SSO and lets you use --profile out of the box |
|
I switched to using aws-vault and this limitation is resolved |
|
Can I suggest folks start a discussion if they're going to start debating the validity of approaches and alternatives, you're sending emails to at least 42 people every time you comment on this, and I really don't care for receiving emails for them |
|
Hopefully that means CDK just needs to upgrade to this version for SSO support vs upgrading to v3. |
|
Hey guys! We recently moved to AWS SSO and are now encountering this issue. The workarounds suggested are fine, but missing native support in CDK for SSO profiles is a huge oversight in my opinion. Now that V2 of the AWS JS SDK supports SSO, hopefully this feature can get implemented soon! |
|
To overcome the issue, I have a cdk-login-env.sh script for every environment that looks kind of like this...the key for this problem is use of yawsso to copy the creds over. `COLOR='\033[1;32m' CDK_PROFILE_NAME='userconfigured' echo "${COLOR}SSO Login for ${CDK_PROFILE_NAME} ${NC}" echo "${COLOR}Copy to v1 credentials with yawsso${NC}" echo "${COLOR}CDK Bootstrap confirmation${NC}" echo "${COLOR}CDK Diff - Testing credential and stacks${NC}" when working with multiple environments, instead of diff --all its stack name prefixes for that account cdk diff "prefix-environment-*" --profile $CDK_PROFILE_NAME |
It looks like SSO support has been merged 2 days ago in PR #19454 I'd say we can expect it to be available for the next release 🤞 |
|
This was just released in 2.18.0 and 1.150.0. Confirmed it's working for me now! |
|
Thanks @jessecollier, you're right! Here's the PR #19454 |
|
FYI: Any of the workarounds that continue to use the implicit trust behaviour of SSO created roles don't work anymore with new roles and will stop to work by 15th of February 2023 due to https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/ |
and others
AWS CLI v2 supports AWS SSO named profiles.
However, CDK CLI cannot resolve SSO named profiles yet.
Without this feature, users have to login to SSO user portal and fetch credentials for command line and CLI access, which needs to be repeated every time the credentials expire.
Even though CLI v2 is still in preview, it would be good to have this feature implemented for early adopters.
Use Case
Proposed Solution
This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: