search

aws-greengrass / aws-greengrass-nucleus

The Greengrass nucleus component provides functionality for device side orchestration of deployments and lifecycle management for execution of Greengrass components and applications. This includes features such as starting, stopping, and monitoring execution of components and apps, interprocess communication server for communication between components, component installation and configuration management.
Apache License 2.0
107 stars 44 forks source link

Greengrass installer not working with AWS SSO Profile #1618

Closed Sourish1997 closed 4 months ago

Sourish1997 commented 4 months ago

Describe the bug The Greengrass nucleus installer is unable to load AWS credentials when using AWS SSO profiles.

To Reproduce

  1. Create a default profile in ~/.aws/config and obtain temporary credentials using aws sso login.
  2. Download and run the Greengrass core installer as per the instructions here
curl -s https://d2s8p88vqu9w66.cloudfront.net/releases/greengrass-nucleus-latest.zip \
> greengrass-nucleus-latest.zip && unzip greengrass-nucleus-latest.zip -d GreengrassInstaller

sudo -E java -Droot="/greengrass/v2" -Dlog.store=FILE -jar ./GreengrassInstaller/lib/Greengrass.jar \
    --aws-region us-east-1 \
    --thing-name "$ROBOT_ID" \
    --thing-group-name "$THING_GROUP_NAME" \
    --tes-role-name "$TES_ROLE_NAME" \
    --tes-role-alias-name "$TES_ROLE_ALIAS_NAME" \
    --provision true \
    --setup-system-service true \

Expected behavior The Greengrass core software is successfully installed on the device.

Actual behavior The installer is unable to load AWS credentials. I get the following error:

Error while trying to setup Greengrass Nucleus
software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(), EnvironmentVariableCredentialsProvider(), WebIdentityTokenCredentialsProvider(), ProfileCredentialsProvider(profileName=ProfileDev, profileFile=ProfileFile(profilesAndSectionsMap=[{default=Profile(name=default, properties=[sso_session, output, sso_role_name, region, sso_account_id]), ProfileDev=Profile(name=ProfileDev, properties=[sso_session, output, sso_role_name, region, sso_account_id]), ProfileProd=Profile(name=ProfileProd, properties=[sso_session, output, sso_role_name, region, sso_account_id])}, {my-sso=Profile(name=my-sso, properties=[sso_region, sso_start_url, sso_registration_scopes])}])), ContainerCredentialsProvider(), InstanceProfileCredentialsProvider()]) : [SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., EnvironmentVariableCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., WebIdentityTokenCredentialsProvider(): Either the environment variable AWS_WEB_IDENTITY_TOKEN_FILE or the javaproperty aws.webIdentityTokenFile must be set., ProfileCredentialsProvider(profileName=ProfileDev, profileFile=ProfileFile(profilesAndSectionsMap=[{default=Profile(name=default, properties=[sso_session, output, sso_role_name, region, sso_account_id]), ProfileDev=Profile(name=ProfileDev, properties=[sso_session, output, sso_role_name, region, sso_account_id]), ProfileProd=Profile(name=ProfileProd, properties=[sso_session, output, sso_role_name, region, sso_account_id])}, {my-sso=Profile(name=my-sso, properties=[sso_region, sso_start_url, sso_registration_scopes])}])): To use Sso related properties in the 'ProfileDev' profile, the 'sso' service module must be on the class path., ContainerCredentialsProvider(): Cannot fetch credentials from container - neither AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set., InstanceProfileCredentialsProvider(): Failed to load credentials from IMDS.]
    at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:111)
    at software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain.resolveCredentials(AwsCredentialsProviderChain.java:117)
    at software.amazon.awssdk.auth.credentials.internal.LazyAwsCredentialsProvider.resolveCredentials(LazyAwsCredentialsProvider.java:45)
    at software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider.resolveCredentials(DefaultCredentialsProvider.java:128)
    at software.amazon.awssdk.core.internal.util.MetricUtils.measureDuration(MetricUtils.java:54)
    at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.resolveCredentials(AwsCredentialsAuthorizationStrategy.java:100)
    at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.addCredentialsToExecutionAttributes(AwsCredentialsAuthorizationStrategy.java:77)
    at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.invokeInterceptorsAndCreateExecutionContext(AwsExecutionContextBuilder.java:125)
    at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.invokeInterceptorsAndCreateExecutionContext(AwsSyncClientHandler.java:69)
    at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:78)
    at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:179)
    at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:76)
    at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45)
    at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:56)
    at software.amazon.awssdk.services.iot.DefaultIotClient.getPolicy(DefaultIotClient.java:9158)
    at com.aws.greengrass.easysetup.DeviceProvisioningHelper.createThing(DeviceProvisioningHelper.java:205)
    at com.aws.greengrass.easysetup.GreengrassSetup.provision(GreengrassSetup.java:514)
    at com.aws.greengrass.easysetup.GreengrassSetup.performSetup(GreengrassSetup.java:325)
    at com.aws.greengrass.easysetup.GreengrassSetup.main(GreengrassSetup.java:274)

Environment

Additional context This looks like a case where the installer is using an AWS SDK version that does not support SSO login. Would it be possible to update the dependencies to allow this use case? The developer guide points to "Manual credential refresh in Getting and refreshing temporary credentials in the IAM Identity Center user guide." as a recommended way to obtain temporary credentials for the Greengrass installer, which seems to imply that SSO login should be supported.

jcosentino11 commented 4 months ago

Thanks for reporting!

For visibility here's the original rePost: https://repost.aws/zh-Hant/questions/QUSlf-efzmTnCWgy0zSp3erg/greengrass-installer-not-working-with-aws-sso-profile. For others interested, there are a few workarounds mentioned here.

We would prefer to not add more dependencies to Nucleus to support this, since installation is a one-off operation, and there are ways to use sso as linked above.