ryansonshine / aws-sso-creds-helper Goto Github PK
View Code? Open in Web Editor NEWA command line util for using SSO credentials with AWS SDK on AWS CLI v2 until native support is released
License: MIT License
A command line util for using SSO credentials with AWS SDK on AWS CLI v2 until native support is released
License: MIT License
Does not support syntax [PROFILE_NAME], only [profile PROFILE_NAME]
If you use a profile setup with [PROFILE_NAME] syntax you get the following
/app/qb-serverless aws-shared_to_dev > ssocreds --profile PROFILE_NAME 1s root@smartin-qb-serverless-dev 17:50:09
[aws-sso-creds-helper]: AWS SSO Creds Helper v1.10.11
[aws-sso-creds-helper]: Getting SSO credentials for profile PROFILE_NAME
[aws-sso-creds-helper]: Failed to load SSO credentials for PROFILE_NAME
[aws-sso-creds-helper]: No profile found for PROFILE_NAME
[aws-sso-creds-helper]: Run ssocreds with --debug flag for more details.
(node:2511) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.
Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)
To load the credentials for the valid profile
aws configure list-profiles
might not show them.ssocreds --profile PROFILE_NAME
Hello, thanks for developing this tool, I was trying this out but I encountered the following issue after authenticating on my Chrome browser.
❯ ~ aws --version
aws-cli/2.0.57 Python/3.7.4 Darwin/19.6.0 exe/x86_64
❯ ~ ssocreds -p default
[aws-sso-creds-helper]: AWS SSO Creds Helper v1.3.10
[aws-sso-creds-helper]: Getting SSO credentials for profile default
[aws-sso-creds-helper]: Failed to load SSO credentials for profile default
[aws-sso-creds-helper]: Cached SSO login is expired/invalid, try running `aws sso login` and try again
(node:16712) UnhandledPromiseRejectionWarning: ExpiredCredsError: Cached SSO login is expired/invalid, try running `aws sso login` and try again
at Object.exports.getSsoCachedLogin (/usr/local/lib/node_modules/aws-sso-creds-helper/lib/sso-creds.js:34:11)
at /usr/local/lib/node_modules/aws-sso-creds-helper/lib/sso-creds.js:80:37
at Generator.next (<anonymous>)
at /usr/local/lib/node_modules/aws-sso-creds-helper/lib/sso-creds.js:8:71
at new Promise (<anonymous>)
at __awaiter (/usr/local/lib/node_modules/aws-sso-creds-helper/lib/sso-creds.js:4:12)
at Object.exports.run (/usr/local/lib/node_modules/aws-sso-creds-helper/lib/sso-creds.js:77:59)
at /usr/local/lib/node_modules/aws-sso-creds-helper/lib/sso-creds.js:88:27
at Generator.next (<anonymous>)
at fulfilled (/usr/local/lib/node_modules/aws-sso-creds-helper/lib/sso-creds.js:5:58)
(Use `node --trace-warnings ...` to show where the warning was created)
(node:16712) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 2)
(node:16712) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
I tried aws sso login
but the issue persists. I never got this working, so any help is appreciated!
When users of this app initially install the app, often their ~/.aws
folder is nonexistent or empty. Of course the config
file is required, but even when that is supplied, the app fails until they make an empty sso
folder in it and then put a cache
folder inside that sso folder.Neither folder needs to contain anything (except for /sso containing /cache), but that folder structure needs to exist for ssocreds
to run successfully.
The desired behavior would be to do the following:
~/.aws/sso
folderssocreds
ENOENT: no such file or directory, scandir 'C:\Users\john\.aws\sso\cache
When I have time I'd be happy to make PR fixing this, but that won't be for a couple days, so I wanted to report this issue to remind myself.
The default profile only works when using [default]
and does not work when using [profile default]
as the profile name in .aws\config
I would expect it to work when using [profile default]
[profile default]
as the profile name in .aws/config
ssocreds
or ssocreds -p default
With latest version of AWS CLI 2.9.4, running ssocreds -p default
failed due to a change of structure in ~/.aws/config
when a user specifies SSO session name (Recommended):
during aws configure sso
process
ssocreds -p <profile_name>
[aws-sso-creds-helper]: AWS SSO Creds Helper v1.9.0
[aws-sso-creds-helper]: Getting SSO credentials for profile <profile_name>
[aws-sso-creds-helper]: Failed to load SSO credentials for <profile_name>
[aws-sso-creds-helper]: Cached SSO login is expired/invalid, try running `aws sso login` and try again
[aws-sso-creds-helper]: Run ssocreds with --debug flag for more details.
ssocreds -p <profile_name>
[aws-sso-creds-helper]: AWS SSO Creds Helper v1.9.0
[aws-sso-creds-helper]: Getting SSO credentials for profile <profile_name>
[aws-sso-creds-helper]: Successfully loaded SSO credentials for profile <profile_name>
aws configure sso --profile <profile_name>
SSO session name (Recommended)
when it asksssocreds -p <profile_name>
The current workaround is to leave SSO session name (Recommended)
blank during configuration process to default to previous behaviour.
Love the tool, minor feature request.
I use
export AWS_SHARED_CREDENTIALS_FILE=foobar
to segregate creds files for multiple environments.
Any chance you could add a feature to respect this var instead of only writing to the default aws location?
Is your feature request related to a problem? Please describe.
No, just different functionality of the aws cli.
Describe the solution you'd like
setting the AWS_PROFILE environment variable locally in the shell when run to the account that is specified when the -p flag is used.
Describe alternatives you've considered
I often run ssocreds thinking that I will be ready to use whatever aws cli app or tool I am wanting to use, but sometimes it still fails because AWS_PROFILE is not set to the right account, despite having run ssocreds for the correct account. When I realize this is the case, I manually have to run export AWS_PROFILE=the account I want
, or the equivalent for whatever shell I'm in.
I've considered forking this repo and adding that feature myself, but I'd rather not have to solely maintain my own fork...
Maybe I'm a fool for submitting this feature and maybe it shows that I completely misunderstand the AWS CLI and related topics. If so, I'm willing to accept that haha. I'm new to all of this, but in my specific use case, it seems like a feature like this would be useful. Any comments? If no one says anything I think I'd like to start working on this sometime soon. Working on CLI apps is fun.
aws2 --profile AdministratorAccess-900359709859 sso login
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.ap-southeast-2.amazonaws.com/
Then enter the code:
XXXXX-XXXX
Successully logged into Start URL: https://d-3131231.awsapps.com/start
Vans-MacBook-Air:bin vhoanguyen$ ssocreds -p AdministratorAccess-03485092385
[aws-sso-creds-helper]: Getting SSO credentials for profile AdministratorAccess-03485092385
[aws-sso-creds-helper]: Failed to load SSO credentials for profile AdministratorAccess-03485092385
[aws-sso-creds-helper]: Cached SSO login is expired/invalid, try running aws sso login
and try again
@all-contributors add @ryansonshine for code
Can the comments in credentials file retained when refreshing the credentials. Right now all comments are removed.
ssocreds was working well for me for the past few months but today when I attempt to run it, I receive errors about session token not found or invalid
.
I confirmed that the aws profile I am using has active credentials as I was able to perform AWS CLI commands. This error occurs for both existing AWS profiles and ones which I have newly added.
aws configure sso --profile prod
SSO start URL [https://redacted.awsapps.com/start#/]:
SSO Region [eu-west-2]:
There are 2 AWS accounts available to you.
Using the account ID redacted
The only role available to you is: Triage
Using the role name "Triage"
CLI default client Region [eu-west-2]:
CLI default output format [json]:
To use this profile, specify the profile name using --profile, as shown:
aws s3 ls --profile prod
2022-03-16 13:54:06 redacted-bucket-name
ssocreds --profile prod --debug
[aws-sso-creds-helper]: AWS SSO Creds Helper v1.8.16
[aws-sso-creds-helper]: ===========
[aws-sso-creds-helper]: SYSTEM INFO
[aws-sso-creds-helper]: ===========
[aws-sso-creds-helper]: AWS CLI Version aws-cli/2.7.7 Python/3.9.13 Darwin/22.1.0 source/arm64 prompt/off
[aws-sso-creds-helper]: OS darwin 22.1.0
[aws-sso-creds-helper]: Node v16.18.0
[aws-sso-creds-helper]: ==============
[aws-sso-creds-helper]: PROFILE CONFIG
[aws-sso-creds-helper]: ==============
[aws-sso-creds-helper]: Name Value Type Location
---- ----- ---- --------
profile prod manual --profile
access_key ****************G2OR sso
secret_key ****************phNg sso
region eu-west-2 config-file ~/.aws/config
[aws-sso-creds-helper]: Getting SSO credentials for profile prod
[aws-sso-creds-helper]: Reading config from /Users/cole.siegel/.aws/config
[aws-sso-creds-helper]: Full profile name for lookup is profile prod
[aws-sso-creds-helper]: Profile data:, {
"region": "eu-west-2",
"output": "json",
"sso_start_url": "https://redacted.awsapps.com/start",
"sso_region": "eu-west-2",
"sso_account_id": "redacted",
"sso_role_name": "Triage"
}
[aws-sso-creds-helper]: Setting AWS.SharedIniFileCredentials to profile prod
[aws-sso-creds-helper]: Found 3 cache files in /Users/cole.siegel/.aws/sso/cache
[aws-sso-creds-helper]: Checking 0d92c2431dc84b346c32051db8c475a0cd0aa25a.json in /Users/cole.siegel/.aws/sso/cache/0d92c2431dc84b346c32051db8c475a0cd0aa25a.json
[aws-sso-creds-helper]: Reading /Users/cole.siegel/.aws/sso/cache/0d92c2431dc84b346c32051db8c475a0cd0aa25a.json
[aws-sso-creds-helper]: Configuration is a credential config
[aws-sso-creds-helper]: Credential is NOT expired
[aws-sso-creds-helper]: Credential start url https://redacted.awsapps.com/start/ matches profile sso start url https://redacted.awsapps.com/start
[aws-sso-creds-helper]: Initialized SSO service object with region eu-west-2
[aws-sso-creds-helper]: Failed to get role credentials
[aws-sso-creds-helper]: Error is NOT an ExpiredCredsError
[aws-sso-creds-helper]: Error is NOT an AwsSdkError
[aws-sso-creds-helper]: Failed to load SSO credentials for prod
[aws-sso-creds-helper]: Session token not found or invalid
[aws-sso-creds-helper]: UnauthorizedException: Session token not found or invalid
at Object.extractError (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/protocol/json.js:52:27)
at Request.extractError (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/protocol/rest_json.js:49:8)
at Request.callListeners (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/request.js:686:14)
at Request.transition (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/request.js:688:12)
To resolve the issue, I had to delete my ~/.aws/credentials
entries as well as the contents of ~/.aws/sso/cache
. After adding the profiles back, I am now able to run ssocreds successfully and use the SDK, although there is a message about invalid JSON.
➜ ~ ssocreds --profile dev
[aws-sso-creds-helper]: AWS SSO Creds Helper v1.8.16
[aws-sso-creds-helper]: Getting SSO credentials for profile dev
[aws-sso-creds-helper]: Ignoring invalid json, SyntaxError: Unexpected token in JSON at position 0
[aws-sso-creds-helper]: Successfully loaded SSO credentials for profile dev
➜ ~ ssocreds --profile prod
[aws-sso-creds-helper]: AWS SSO Creds Helper v1.8.16
[aws-sso-creds-helper]: Getting SSO credentials for profile prod
[aws-sso-creds-helper]: Ignoring invalid json, SyntaxError: Unexpected token in JSON at position 0
[aws-sso-creds-helper]: Successfully loaded SSO credentials for profile prod
Any suggestions as to what could have caused this, or how to properly resolve it? As far as I can see nothing changed recently in this library. Given the AWS profile / SSO process itself is working without issue, I am not sure why ssocreds suddenly fails to retrieve the token. Does the invalid JSON message indicate some other issue?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.