Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Cannot load SSO provider #2430

Closed
hjkatz opened this issue Dec 18, 2023 · 7 comments
Closed

[BUG] Cannot load SSO provider #2430

hjkatz opened this issue Dec 18, 2023 · 7 comments
Assignees
Labels
closed-for-staleness guidance Question that needs advice or information.

Comments

@hjkatz
Copy link

hjkatz commented Dec 18, 2023

Describe the bug

I'm trying to load a profile from a shared config file that is SSO enabled using sso-session and then retrieve the session information from the aws config. But when I do this I only see the ec2rolecreds.Provider being used and not the ssocreds.Provider being used as I would expect.

Config:

[sso-session my-session]
sso_region = us-east-2
sso_start_url = https://12345.awsapps.com/start

[profile my-profile]
region=us-west-2
sso_session = my-session
sso_account_id = 1234567890
sso_role_name = AdminAccess

Env:

AWS_CONFIG=~/path/to/my/config
AWS_PROFILE=other-profile
AWS_EC2_METADATA_DISABLED=true

Code:

cfg, err := awsv2config.LoadDefaultConfig(context.TODO(),
  awsv2config.WithSharedConfigProfile("my-profile"),
  awsv2config.WithEC2IMDSClientEnableState(...disabled...),
)

spew.Dump(cfg)

Relevant Output:

DEBUGPRINT[1]: client.go:141 (after spew.Dump(cr))
(aws.Config) {
 Region: (string) "",
 Credentials: (*aws.CredentialsCache)(0xc002998740)({
  provider: (*ec2rolecreds.Provider)(0xc002bc9750)({
   options: (ec2rolecreds.Options) {
    Client: (*imds.Client)(0xc0029fac80)({
     options: (imds.Options) {
      APIOptions: ([]func(*middleware.Stack) error) {
      },
      Endpoint: (string) "",
      EndpointMode: (config.EndpointModeState) 0,
...
ConfigSources: ([]interface {}) (len=3 cap=4) {
  (config.LoadOptions) {
   Region: (string) "",
   Credentials: (aws.CredentialsProvider) <nil>,
   BearerAuthTokenProvider: (bearer.TokenProvider) <nil>,
   HTTPClient: (config.HTTPClient) <nil>,
   EndpointResolver: (aws.EndpointResolver) <nil>,
   EndpointResolverWithOptions: (aws.EndpointResolverWithOptions) <nil>,
   RetryMaxAttempts: (int) 0,
   RetryMode: (aws.RetryMode) ,
   Retryer: (func() aws.Retryer) <nil>,
   APIOptions: ([]func(*middleware.Stack) error) <nil>,
   Logger: (logging.Logger) <nil>,
   ClientLogMode: (*aws.ClientLogMode)(<nil>),
   SharedConfigProfile: (string) (len=17) "my-profile",
   SharedConfigFiles: ([]string) (len=1 cap=1) {
    (string) (len=75) "/path/to/my/config"
   },
   SharedCredentialsFiles: ([]string) <nil>,
   CustomCABundle: (io.Reader) <nil>,
   DefaultRegion: (string) "",
   UseEC2IMDSRegion: (*config.UseEC2IMDSRegion)(<nil>),
   CredentialsCacheOptions: (func(*aws.CredentialsCacheOptions)) <nil>,
   BearerAuthTokenCacheOptions: (func(*bearer.TokenCacheOptions)) <nil>,
   SSOTokenProviderOptions: (func(*ssocreds.SSOTokenProviderOptions)) <nil>,
   ProcessCredentialOptions: (func(*processcreds.Options)) <nil>,
   EC2RoleCredentialOptions: (func(*ec2rolecreds.Options)) <nil>,
   EndpointCredentialOptions: (func(*endpointcreds.Options)) <nil>,
   WebIdentityRoleCredentialOptions: (func(*stscreds.WebIdentityRoleOptions)) <nil>,
   AssumeRoleCredentialOptions: (func(*stscreds.AssumeRoleOptions)) <nil>,
   SSOProviderOptions: (func(*ssocreds.Options)) <nil>,
   LogConfigurationWarnings: (*bool)(<nil>),
   S3UseARNRegion: (*bool)(<nil>),
   EnableEndpointDiscovery: (aws.EndpointDiscoveryEnableState) 0,
   EC2IMDSClientEnableState: (config.ClientEnableState) 1,
   EC2IMDSEndpointMode: (config.EndpointModeState) 0,
   EC2IMDSEndpoint: (string) "",
   UseDualStackEndpoint: (aws.DualStackEndpointState) 0,
   UseFIPSEndpoint: (aws.FIPSEndpointState) 0,
   DefaultsModeOptions: (config.DefaultsModeOptions) {
    Mode: (aws.DefaultsMode) "",
    IMDSClient: (*imds.Client)(<nil>)
   }
  },
  (config.EnvConfig) {
   Credentials: (aws.Credentials) {
    AccessKeyID: (string) "",
    SecretAccessKey: (string) "",
    SessionToken: (string) "",
    Source: (string) "",
    CanExpire: (bool) false,
    Expires: (time.Time) 0001-01-01 00:00:00 +0000 UTC
   },
   ContainerCredentialsEndpoint: (string) "",
   ContainerCredentialsRelativePath: (string) "",
   ContainerAuthorizationToken: (string) "",
   Region: (string) "",
   SharedConfigProfile: (string) (len=12) "other-profile",
   SharedCredentialsFile: (string) "",
   SharedConfigFile: (string) (len=75) "/path/to/my/config",
   CustomCABundle: (string) "",
   EnableEndpointDiscovery: (aws.EndpointDiscoveryEnableState) 0,
   WebIdentityTokenFilePath: (string) "",
   RoleARN: (string) "",
   RoleSessionName: (string) "",
   S3UseARNRegion: (*bool)(<nil>),
   EC2IMDSClientEnableState: (config.ClientEnableState) 1,
   EC2IMDSEndpointMode: (config.EndpointModeState) 0,
   EC2IMDSEndpoint: (string) "",
   S3DisableMultiRegionAccessPoints: (*bool)(<nil>),
   UseDualStackEndpoint: (aws.DualStackEndpointState) 0,
   UseFIPSEndpoint: (aws.FIPSEndpointState) 0,
   DefaultsMode: (aws.DefaultsMode) "",
   RetryMaxAttempts: (int) 0,
   RetryMode: (aws.RetryMode)
  },
  (config.SharedConfig) {
   Profile: (string) "",
   Credentials: (aws.Credentials) {
    AccessKeyID: (string) "",
    SecretAccessKey: (string) "",
    SessionToken: (string) "",
    Source: (string) "",
    CanExpire: (bool) false,
    Expires: (time.Time) 0001-01-01 00:00:00 +0000 UTC
   },
   CredentialSource: (string) "",
   CredentialProcess: (string) "",
   WebIdentityTokenFile: (string) "",
   SSOSessionName: (string) "",
   SSOSession: (*config.SSOSession)(<nil>),
   SSORegion: (string) "",
   SSOStartURL: (string) "",
   SSOAccountID: (string) "",
   SSORoleName: (string) "",
   RoleARN: (string) "",
   ExternalID: (string) "",
   MFASerial: (string) "",
   RoleSessionName: (string) "",
   RoleDurationSeconds: (*time.Duration)(<nil>),
   SourceProfileName: (string) "",
   Source: (*config.SharedConfig)(<nil>),
   Region: (string) "",
   EnableEndpointDiscovery: (aws.EndpointDiscoveryEnableState) 0,
   S3UseARNRegion: (*bool)(<nil>),
   EC2IMDSEndpointMode: (config.EndpointModeState) 0,
   EC2IMDSEndpoint: (string) "",
   S3DisableMultiRegionAccessPoints: (*bool)(<nil>),
   UseDualStackEndpoint: (aws.DualStackEndpointState) 0,
   UseFIPSEndpoint: (aws.FIPSEndpointState) 0,
   DefaultsMode: (aws.DefaultsMode) "",
   RetryMaxAttempts: (int) 0,
   RetryMode: (aws.RetryMode) ,
   CustomCABundle: (string) ""
  }
 },
...

Expected Behavior

I expect that ssocreds.Provider be used for config.Credentials.Retrieve()

Or at least the config.ConfigSources[*] that is config.SharedConfig should contain filled values for config.SharedConfig.SSO* fields.

Current Behavior

I'm only seeing the ec2 imds provider being used.

Reproduction Steps

I think this is because I'm on an ec2 instance running the sdk.

Possible Solution

No response

Additional Information/Context

I am definitely logged into an sso session using aws sso login with the correct profile information.

AWS Go SDK V2 Module Versions Used

github.com/aws/aws-sdk-go-v2/internal/[email protected]
github.com/aws/aws-sdk-go-v2/[email protected]

Compiler and Version used

go version go1.21.4 linux/amd64

Operating System and version

Linux devenv-hkatz 6.2.0-1017-aws #17~22.04.1-Ubuntu SMP Fri Nov 17 21:07:13 UTC 2023 x86_64 GNU/Linux

@hjkatz hjkatz added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 18, 2023
@hjkatz
Copy link
Author

hjkatz commented Dec 18, 2023

Wow, after typing up everything and going back through with a fine-toothed comb one more time, I discovered that I was incorrectly passing config.WithSharedConfigProfile("does-not-exist-profile") as a profile name.

I guess now my expectation is that the ssocreds provider prints an error or something rather than defaulting back to ec2role... since this red herring caught me off guard for a few days now :/

@RanVaknin RanVaknin self-assigned this Dec 18, 2023
@RanVaknin
Copy link
Contributor

Hi @hjkatz,

Thanks for reaching out. I'm glad you were able to find the issue.

I guess now my expectation is that the ssocreds provider prints an error or something rather than defaulting back to ec2role... since this red herring caught me off guard for a few days now :/

I'm not sure why you are not seeing an error. When I configure a non existent profile I get an error:

package main

import (
	"context"
	"fmt"
	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/service/s3"
)

func main() {
	cfg, err := config.LoadDefaultConfig(context.Background(),
		config.WithSharedConfigProfile("some-profile-that-doesnt-exist"),
		config.WithEC2IMDSClientEnableState(imds.ClientDisabled),
		config.WithRegion("us-east-1"),
	)
	if err != nil {
		fmt.Println("Error loading configuration:", err)
		return
	}

// more code
}

Will throw:

Error loading configuration: failed to get shared config profile, some-profile-that-doesnt-exist

Can you provide us with a full code snippet that can reproduce this behavior?

Thanks,
Ran~

@RanVaknin RanVaknin added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p2 This is a standard priority issue guidance Question that needs advice or information. and removed needs-triage This issue or PR still needs to be triaged. bug This issue is a bug. labels Dec 18, 2023
@hjkatz
Copy link
Author

hjkatz commented Dec 19, 2023

Here's the code I used, it's pretty much the same as what you have:

cfg, err := awsv2config.LoadDefaultConfig(ctx,
  awsv2config.WithSharedConfigProfile("does-not-exist"),
)
if err != nil {
  panic(err)
}

creds, err := cfg.Credentials.Retrieve(ctx)
if err != nil {
  panic(err)
}

...

// Vault Login using the creds.AccessKeyID, creds.SecretAccessKey, creds.SessionToken

When this code is executed the following is printed:

error authing to vault: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, http response error StatusCode: 404, request to EC2 IMDS failed

I would instead expect a message about the profile not found or something like that. I guess the EC2 stuff takes priority b/c I'm on an EC2 instance?

Here's the code/output when imds is disabled via code:

cfg, err := awsv2config.LoadDefaultConfig(ctx,
  awsv2config.WithSharedConfigProfile("does-not-exist"),
  awsv2config.WithEC2IMDSClientEnableState(awsv2imds.ClientDisabled),
)
if err != nil {
  panic(err)
}

creds, err := cfg.Credentials.Retrieve(ctx)
if err != nil {
  panic(err)
}

...

// Vault Login using the creds.AccessKeyID, creds.SecretAccessKey, creds.SessionToken

Output:

error authing to vault: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, access disabled to EC2 IMDS via client option, or "AWS_EC2_METADATA_DISABLED" environment variable

@RanVaknin
Copy link
Contributor

Hi @hjkatz ,

Can you update your SDK version? You are using dependencies that are over 1 year old.

Thanks,
Ran~

@RanVaknin RanVaknin added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels Dec 19, 2023
@hjkatz
Copy link
Author

hjkatz commented Dec 19, 2023

Yes I can do that, but it will be a bit of time. We're currently working through migrating from IAM -> SSO and part of my work involves upgrading the aws pkgs we use too.

I'll report back when I can.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Dec 20, 2023
@RanVaknin RanVaknin added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Dec 22, 2023
Copy link

This issue has not received a response in 1 week. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Dec 23, 2023
@lucix-aws lucix-aws added closed-for-staleness and removed response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. closing-soon This issue will automatically close in 4 days unless further comments are made. p2 This is a standard priority issue labels Dec 26, 2023
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
closed-for-staleness guidance Question that needs advice or information.
Projects
None yet
Development

No branches or pull requests

3 participants