-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS session-based SSO does not work with s3 backend #13142
Comments
Just a note for when looking into this. The s3 backend and the awskms secret manager both use go.cloud, and we do have some tests for awskms at https://github.com/pulumi/pulumi/blob/master/pkg/secrets/cloud/manager_test.go. We should see about getting some similar tests setup for the filestate backend against real aws buckets and see if we can verify this use case. |
I believe this issue is caused by the fact that the AWS Go SDK didn't support SSO session auth (aws/aws-sdk-go#4649) this has now been fixed and released in version |
For more context around v2 of the AWS SDK it seems like support for sso-session was introduced in aws/aws-sdk-go-v2#1903 And the earliest it exist in is credentials/v1.12.15 We can see go-cloud 0.27 references v1.12.10 https://github.com/google/go-cloud/blob/v0.27.0/go.sum#L239 So I guess 0.28 would work as well :) |
Why not update gocloud.dev to the latest then? @UVduane |
I have a PR open that resolves this #13619 but can't get anyone to acknowledge here or in Slack. |
That PR doesn't update go-cloud though? I would also add more information what this is about, because when I first read the description for the first time, it wasn't really clear what it would fix, as I use SSO and it does work for me. So for information sake, here's the relevant doc about SSO https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html Before one would have something like this
as per https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-legacy.html
as per https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html Hence the error with older AWS SDKs
|
I have the sso-session profiles set up like what you posted. Actually, we have a single session and about 14 different profiles referencing it. we were actively running into the
with profiles like
and this works after the aws-sdk update (must change awssdk to v3)
I am actively using the binary built from my branch with just updating the aws-sdk in our setup with no issues using sso-session based profiles. |
13619: update aws-sdk to sso session supported version r=Frassle a=TheFynx <!--- Thanks so much for your contribution! If this is your first time contributing, please ensure that you have read the [CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md) documentation. --> # Description Allows for the use of sso-session backed AWS Profiles - Log out of cloud ```bash ❯ ~/.pulumi-dev/bin/pulumi logout Logged out of https://app.pulumi.com ``` - Try to log in with awssdk=v2 with sso-session profile, existing error ```bash ❯ ~/.pulumi-dev/bin/pulumi login 's3://state-bucket?region=us-east-1&awssdk=v2&profile=AwsProfile' error: problem logging in: unable to open bucket s3://state-bucket?region=us-east-1&awssdk=v2&profile=AwsProfile: open bucket s3://state-bucket?region=us-east-1&awssdk=v2&profile=AwsProfile: profile "AwsProfile" is configured to use SSO but is missing required configuration: sso_region, sso_start_url ``` - Try to log in with awssdk=v3 with sso-session profile, success ```bash ❯ ~/.pulumi-dev/bin/pulumi login 's3://state-bucket?region=us-east-1&awssdk=v3&profile=AwsProfile' Logged in to levi-framework as levi (s3://state-bucket?region=us-east-1&awssdk=v3&profile=AwsProfile) ``` Fixes #13142 ## Checklist - [x] I have run `make tidy` to update any new dependencies - [x] I have run `make lint` to verify my code passes the lint check - [x] I have formatted my code using `gofumpt` <!--- Please provide details if the checkbox below is to be left unchecked. --> - [ ] I have added tests that prove my fix is effective or that my feature works - Notes: Unsure if tests are needed to do a package update <!--- User-facing changes require a CHANGELOG entry. --> - [x] I have run `make changelog` and committed the `changelog/pending/<file>` documenting my change <!-- If the change(s) in this PR is a modification of an existing call to the Pulumi Cloud, then the service should honor older versions of the CLI where this change would not exist. You must then bump the API version in /pkg/backend/httpstate/client/api.go, as well as add it to the service. --> - [ ] Yes, there are changes in this PR that warrants bumping the Pulumi Cloud API version <!-- `@Pulumi` employees: If yes, you must submit corresponding changes in the service repo. --> Co-authored-by: Levi Smith <levithegeek@gmail.com> Co-authored-by: Levi Smith <levi@fynx.me>
13619: update aws-sdk to sso session supported version r=Frassle a=TheFynx <!--- Thanks so much for your contribution! If this is your first time contributing, please ensure that you have read the [CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md) documentation. --> # Description Allows for the use of sso-session backed AWS Profiles - Log out of cloud ```bash ❯ ~/.pulumi-dev/bin/pulumi logout Logged out of https://app.pulumi.com ``` - Try to log in with awssdk=v2 with sso-session profile, existing error ```bash ❯ ~/.pulumi-dev/bin/pulumi login 's3://state-bucket?region=us-east-1&awssdk=v2&profile=AwsProfile' error: problem logging in: unable to open bucket s3://state-bucket?region=us-east-1&awssdk=v2&profile=AwsProfile: open bucket s3://state-bucket?region=us-east-1&awssdk=v2&profile=AwsProfile: profile "AwsProfile" is configured to use SSO but is missing required configuration: sso_region, sso_start_url ``` - Try to log in with awssdk=v3 with sso-session profile, success ```bash ❯ ~/.pulumi-dev/bin/pulumi login 's3://state-bucket?region=us-east-1&awssdk=v3&profile=AwsProfile' Logged in to levi-framework as levi (s3://state-bucket?region=us-east-1&awssdk=v3&profile=AwsProfile) ``` Fixes #13142 ## Checklist - [x] I have run `make tidy` to update any new dependencies - [x] I have run `make lint` to verify my code passes the lint check - [x] I have formatted my code using `gofumpt` <!--- Please provide details if the checkbox below is to be left unchecked. --> - [ ] I have added tests that prove my fix is effective or that my feature works - Notes: Unsure if tests are needed to do a package update <!--- User-facing changes require a CHANGELOG entry. --> - [x] I have run `make changelog` and committed the `changelog/pending/<file>` documenting my change <!-- If the change(s) in this PR is a modification of an existing call to the Pulumi Cloud, then the service should honor older versions of the CLI where this change would not exist. You must then bump the API version in /pkg/backend/httpstate/client/api.go, as well as add it to the service. --> - [ ] Yes, there are changes in this PR that warrants bumping the Pulumi Cloud API version <!-- `@Pulumi` employees: If yes, you must submit corresponding changes in the service repo. --> Co-authored-by: Levi Smith <levithegeek@gmail.com> Co-authored-by: Levi Smith <levi@fynx.me>
13619: update aws-sdk to sso session supported version r=Frassle a=TheFynx <!--- Thanks so much for your contribution! If this is your first time contributing, please ensure that you have read the [CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md) documentation. --> # Description Allows for the use of sso-session backed AWS Profiles - Log out of cloud ```bash ❯ ~/.pulumi-dev/bin/pulumi logout Logged out of https://app.pulumi.com ``` - Try to log in with awssdk=v2 with sso-session profile, existing error ```bash ❯ ~/.pulumi-dev/bin/pulumi login 's3://state-bucket?region=us-east-1&awssdk=v2&profile=AwsProfile' error: problem logging in: unable to open bucket s3://state-bucket?region=us-east-1&awssdk=v2&profile=AwsProfile: open bucket s3://state-bucket?region=us-east-1&awssdk=v2&profile=AwsProfile: profile "AwsProfile" is configured to use SSO but is missing required configuration: sso_region, sso_start_url ``` - Try to log in with awssdk=v3 with sso-session profile, success ```bash ❯ ~/.pulumi-dev/bin/pulumi login 's3://state-bucket?region=us-east-1&awssdk=v3&profile=AwsProfile' Logged in to levi-framework as levi (s3://state-bucket?region=us-east-1&awssdk=v3&profile=AwsProfile) ``` Fixes #13142 ## Checklist - [x] I have run `make tidy` to update any new dependencies - [x] I have run `make lint` to verify my code passes the lint check - [x] I have formatted my code using `gofumpt` <!--- Please provide details if the checkbox below is to be left unchecked. --> - [ ] I have added tests that prove my fix is effective or that my feature works - Notes: Unsure if tests are needed to do a package update <!--- User-facing changes require a CHANGELOG entry. --> - [x] I have run `make changelog` and committed the `changelog/pending/<file>` documenting my change <!-- If the change(s) in this PR is a modification of an existing call to the Pulumi Cloud, then the service should honor older versions of the CLI where this change would not exist. You must then bump the API version in /pkg/backend/httpstate/client/api.go, as well as add it to the service. --> - [ ] Yes, there are changes in this PR that warrants bumping the Pulumi Cloud API version <!-- `@Pulumi` employees: If yes, you must submit corresponding changes in the service repo. --> Co-authored-by: Levi Smith <levithegeek@gmail.com> Co-authored-by: Levi Smith <levi@fynx.me>
What happened?
Attempting to
pulumi login
to an S3 backend while using AWS session-based SSO and get an error:In
$HOME/.aws/config
we have:This AWS config works with AWS CLI v2, like so:
On our own testing, this is related to aws/aws-sdk-go#4649. Looking at the gocloud.dev blob library, it uses AWS SDK v1 by default, making SDKv2 available as an option. But, the version of SDKv2 required in gocloud.dev v0.27 does not work with session-based SSO either. I think a version bump in pulumi to gocloud.dev v0.29 would be a good start to a decent workaround on this.
https://github.com/UVduane/musical-octo-telegram/tree/main might be helpful as a minimized test case
Expected Behavior
pulumi login
should log in without errorSteps to reproduce
Output of
pulumi about
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: