[Bug]: Lack of support for sso-session in .aws/config

[kurtismash]

Terraform Core Version

1.3.6

AWS Provider Version

4.45.0

Affected Resource(s)

No response

Expected Behavior

Terraform should work as normal using AWS credentials as defined in .aws/config.

Actual Behavior

Error: configuring Terraform AWS Provider: loading configuration: profile "profile" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

.aws/config

[profile profile]
sso_session = xxx
sso_account_id = xxx
sso_role_name = AdministratorAccess
region = eu-west-1

[sso-session session]
sso_start_url = https://xxx.awsapps.com/start
sso_region = eu-west-1
sso_registration_scopes = sso:account:access

Terraform

provider "aws" {
  region = "eu-west-1"
}

resource "aws_s3_bucket" "b" {
}

Steps to Reproduce

1. Configure awscli using aws sso configure or manually create .aws/config to use an sso-session.
2. terraform init
3. AWS_PROFILE=profile terraform plan

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

I believe this is an issue caused by the aws-sdk-go rather than this Terraform provider, however don't understand enough about go to know which version of the SDK is in use. aws/aws-sdk-go#4649 remains open whereas aws/aws-sdk-go-v2#1903 fixes this in the v2 SDK.

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[DavidS-ovm]

This is still happening in v4.46.0, which has the update (b3dcf93) to the aws-sdk-go-v2 version (v1.17.2) that has the upstream fix.

[id-tari]

Any updates on this?
Still not working with v4.48

Weird, issues seems to be critical and fundamental.
Can't execute any terraform actions on my newly configured accounts that are managed by new AWS Identity Center

To mention a workaround:
You do not need to add: sso_region, sso_start_url
You just have to create a IAM User with appropriate permissions and programmatic access and add these credentials to .aws/credentials

[profile]
aws_access_key_id = xxxxx
aws_secret_access_key = yyyyyyyyyyyy

make sure that profile name matches in the both .aws/credentials and .aws/config.
Provider will work

[selfisch]

Any updates on this? Still not working with v4.48

Weird, issues seems to be critical and fundamental. Can't execute any terraform actions on my newly configured accounts that are managed by new AWS Identity Center

To mention a workaround: You do not need to add: sso_region, sso_start_url You just have to create a IAM User with appropriate permissions and programmatic access and add these credentials to .aws/credentials

[profile]
aws_access_key_id = xxxxx
aws_secret_access_key = yyyyyyyyyyyy

make sure that profile name matches in the both .aws/credentials and .aws/config. Provider will work

Or you can use the Command line or programmatic access from your role and copy that content to the credentials file. You can barely change the profile name to your needs and can use it as long, as the session is valid.
But this is all only a workaround, especially with an eye on the session getting invalid after the configured amount of time and one have to copy the temp credentials over again :-).

[e1senh0rn]

From what I can see in go.mod file, specified versions of affected dependencies do not contain SSO enhancements:

	github.com/aws/aws-sdk-go-v2/config v1.15.4 // indirect
	github.com/aws/aws-sdk-go-v2/credentials v1.12.0 // indirect

New SSO enhancements were added in versions v1.18.0 and v1.13.0 correspondingly.

[jaxxstorm]

You can work around this in two ways:

• set the sso_start_url in each profile
• grab temporary credentials from the profile using aws-sso-creds

[boyadzhievb]

"set the sso_start_url in each profile" does't work for me

[profile Dev-715xxxxxxxxxxx2]
sso_session = bo-05-01-2023-1
sso_account_id = 715xxxxxxxxxxx2
sso_role_name = Dev
region = eu-west-2
output = json
sso_start_url = https://xxx.awsapps.com/start

[sso-session bo-05-01-2023-1]
sso_start_url = https://xxx.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access

Still get:
% terraform plan
╷
│ Error: configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.

[tonyhhyip]

You need to both sso_start_url and sso_region for your profile.
And then run aws sso login --profile <profile name>

[jnimety]

@boyadzhievb I also had to remove the sso_session key/value from my profile.

documentation for "legacy" configuration here: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html#sso-configure-profile-manual

[boyadzhievb]

NOthing helped:

first-resource % cat  ~/.aws/config
[profile DevOps-71xxxxxxxxx82]
sso_account_id = 71xxxxxxxx682
sso_role_name = DevOps
region = eu-west-2
output = json
sso_start_url = https://xxxxx.awsapps.com/start
sso_region = us-east-1

[sso-session bozhan-05-01-2023-1]
sso_start_url = https://xxxx.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
 first-resource % aws sso login --profile DevOps-715xxxxxxxx82
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

FJHJ-FMHH
Successfully logged into Start URL: https://xxx.awsapps.com/start
 first-resource % terraform plan
╷
│ Error: configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│
│ Please see https://registry.terraform.io/providers/hashicorp/aws

[michidk]

I can confirm the following works as a temporary fix:

• remove the [sso-session ...] section
• remove the sso_session parameter from the profile
• add the sso_start_url and sso_region
• add the region parameter if not already there

Working example:

[profile prod]
sso_region = us-east-1
sso_start_url = https://URL.awsapps.com/start
sso_account_id = 999999999
sso_role_name = AWSAdministratorAccess
region = us-east-1

[profile stage]
sso_region = us-east-1
sso_start_url = https://URL.awsapps.com/start
sso_account_id =999999999
sso_role_name = AWSAdministratorAccess
region = us-east-1

[pnjihia]

What worked for me was this reddit post: https://www.reddit.com/r/aws/comments/zk456d/new_aws_cli_and_sso_sessions_profiles_and_legacy/

In short:

1. In your .aws/config file, delete the sso-session section (or sections if you had multiple)
2. Delete the sso-session reference under the profile section
3. Reconfigure sso: aws configure sso --profile <profile-name> # I usually go for default
4. Here's the fix: Although recommended, do not give sso session name, leave it blank
5. Finish the rest of the config, and terraform should start working

[larryebaum-nz]

Not finding any success with any of the workarounds posted here. Are others still having an issue with this? I've found if I run a aws cli command that references my profile, temp credentials will write to .aws/cli/cache/<file>.json that I could write to ENV_VARS to get operational, but its kludgy and multiplied by a volume of users, isn't great.

Anyone able to confirm/indicate if work is underway to solve?

[jparta]

I was having the same problem, and including all information within the profile itself helped in my case as well.

Why are Terraform and AWS provider not able to use the session information? Using an sso-session to provide the region and start_url is the recommended way to set up sso: Configuring the AWS CLI to use AWS IAM Identity Center (successor to AWS Single Sign-On)

[selfisch]

Hey,
yeah with the solution @michidk suggested here, you can configure the awscli profiles the legacy way. Thats working so far, also with the aws provider. But who knows how long until sso-sessions will be enforced and the legacy way will be deprecated :-)

[tonyhhyip]

It is fixed at v4.54.0. However, if you use s3 backend, the legacy configuration is still required, the issue on Terraform is still open

[yermulnik]

It is fixed at v4.54.0

@tonyhhyip Out of curiosity: is there any exact PR we can refer to? I couldn't find anything relevant to AWS SSO in v4.54.0 release message 🤷🏻

[tonyhhyip]

@yermulnik It is fixed in bf5aed5, when the SDK version is upgraded to a version which support new format SSO. For supported version, please refers to #28263 (comment)

[patrickmarques-plutoflume]

As pointed out here #28263 (comment) the provider is now fixed after dependency updates #29302

Would be great if we could also update the backend accordingly

[brettryan]

For those that are finding when you get a reference to $HOME/.aws/sso/cache/<id>.json not found, you must perform an AWS SSO login first.

aws sso login

I recommend to create multiple pairs of your profiles, one with the legacy non-refreshing token specifically for terraform, and use another for your normal operations. This will allow you to use the AWS CLI with the refreshing tokens and have the terraform backend explicitly select the legacy profile.

~/.aws/config

[profile primary]
region = <REGION>
output = json
sso_session = <SESSION_NAME>
sso_account_id = <ACCOUNT_ID>
sso_role_name = <ROLE_NAME>

# Required as terraform does not respect sso_session
[profile primary-legacy]
sso_start_url = https://<START_ID>.awsapps.com/start
sso_region = <REGION>
sso_account_id = <ACCOUNT_ID>
sso_role_name = <ROLE_NAME>
region = <REGION>
output = json

[sso-session <SESSION_NAME>]
sso_start_url = https://<START_ID>.awsapps.com/start
sso_region = <REGION>
sso_registration_scopes = sso:account:access

In your backend, configure your profile to be the legacy above.

profile = "primary-legacy"

And have your aws env set to the refresher token:

export AWS_PROFILE=primary

[jsimoni]

For those that are finding when you get a reference to $HOME/.aws/sso/cache/<id>.json not found, you must perform an AWS SSO login first.

aws sso login

I recommend to create multiple pairs of your profiles, one with the legacy non-refreshing token specifically for terraform, and use another for your normal operations. This will allow you to use the AWS CLI with the refreshing tokens and have the terraform backend explicitly select the legacy profile.

~/.aws/config

[profile primary]
region = <REGION>
output = json
sso_session = <SESSION_NAME>
sso_account_id = <ACCOUNT_ID>
sso_role_name = <ROLE_NAME>

# Required as terraform does not respect sso_session
[profile primary-legacy]
sso_start_url = https://<START_ID>.awsapps.com/start
sso_region = <REGION>
sso_account_id = <ACCOUNT_ID>
sso_role_name = <ROLE_NAME>
region = <REGION>
output = json

[sso-session <SESSION_NAME>]
sso_start_url = https://<START_ID>.awsapps.com/start
sso_region = <REGION>
sso_registration_scopes = sso:account:access

In your backend, configure your profile to be the legacy above.

profile = "primary-legacy"

And have your aws env set to the refresher token:

export AWS_PROFILE=primary

I believe what @brettryan mentions will work as a workaround, but what is needed is the terraform-provider-aws to support refreshable authentication tokens and to refresh those tokens when they expire.

[et304383]

How is this not resolved yet? Isn't the GO SDK supposed to handle this automatically?

[ewbankkit]

AWS SDK for Go v1 PR: aws/aws-sdk-go#4885.

[jim-barber-he]

The support for sso-session for aws-sdk-go has been merged and is now in a release.
https://github.com/aws/aws-sdk-go/releases/tag/v1.44.298

[flokli]

For posterity, this probably got fixed by the bump in #32426.

@kurtismash pls correct me if I'm wrong ;-)

Any chance for this to end up in a release soon?

[mbokman-e2open]

I was hoping this ended up in release 5.8.0 but upgrading to that version of the aws provider still gives:

$ terraform --version
Terraform v1.5.3
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.8.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/random v3.5.1
$ terraform init -reconfigure

Initializing the backend...
Initializing modules...
╷
│ Error: error configuring S3 Backend: Error creating AWS session: profile "<redacted>" is configured to use SSO but is missing required configuration: sso_region, sso_start_url
│ 
│ 
╵

[paul-yolabs]

This still needs to make it into a terraform release. The S3 backend code doesn't use the AWS provider, it has a parallel S3 code path. The provider works, but if you use an S3 state backend you'll still have problems until they update the SDK there.

Having new SSO support in the v1 SDK will make that easier, though.

Keep an eye on hashicorp/terraform#32465 (there appears to be an open PR for this now)

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.