search

aws / aws-cli

Universal Command Line Interface for Amazon Web Services
Other
15.09k stars 4.01k forks source link

aws sso login failed on WSL2 #8516

Open andrei-panov opened 5 months ago

andrei-panov commented 5 months ago

Describe the bug

I did setup according to documentation https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-auto-sso-session

Expected Behavior

Expected aws sso will authorize me.

Current Behavior

❯ aws sso login --debug --sso-session my-sso
2024-01-31 11:30:40,644 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.15.15 Python/3.11.6 Linux/5.15.133.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.22
2024-01-31 11:30:40,644 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['sso', 'login', '--debug', '--sso-session', 'my-sso']
2024-01-31 11:30:40,651 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_s3 at 0x7f602b112ac0>
2024-01-31 11:30:40,651 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_ddb at 0x7f602b93a980>
2024-01-31 11:30:40,651 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.configure.configure.ConfigureCommand'>>
2024-01-31 11:30:40,652 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x7f602bdb8cc0>
2024-01-31 11:30:40,652 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x7f602bdba340>
2024-01-31 11:30:40,652 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function alias_opsworks_cm at 0x7f602b119580>
2024-01-31 11:30:40,652 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_history_commands at 0x7f602b98d3a0>
2024-01-31 11:30:40,652 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.devcommands.CLIDevCommand'>>
2024-01-31 11:30:40,652 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_waiters at 0x7f602b119440>
2024-01-31 11:30:40,652 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x7f602b1cc850>>
2024-01-31 11:30:40,652 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.15.15/dist/awscli/data/cli.json
2024-01-31 11:30:40,654 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_types at 0x7f602b536de0>
2024-01-31 11:30:40,654 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function no_sign_request at 0x7f602b537100>
2024-01-31 11:30:40,654 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_verify_ssl at 0x7f602b537060>
2024-01-31 11:30:40,654 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_read_timeout at 0x7f602b537240>
2024-01-31 11:30:40,654 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_connect_timeout at 0x7f602b5371a0>
2024-01-31 11:30:40,654 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <built-in method update of dict object at 0x7f602b1c5bc0>
2024-01-31 11:30:40,655 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.15.15 Python/3.11.6 Linux/5.15.133.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.22 prompt/off
2024-01-31 11:30:40,655 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['sso', 'login', '--debug', '--sso-session', 'my-sso']
2024-01-31 11:30:40,655 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x7f602b113420>
2024-01-31 11:30:40,655 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x7f602c12a2a0>
2024-01-31 11:30:40,655 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x7f602b18ed40>
2024-01-31 11:30:40,655 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x7f602c534ae0>
2024-01-31 11:30:40,655 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x7f602c139bc0>
2024-01-31 11:30:40,657 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2024-01-31 11:30:40,658 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x7f602b969c60>
2024-01-31 11:30:40,658 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x7f602b916c00>
2024-01-31 11:30:40,664 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.15.15/dist/awscli/botocore/data/sso/2019-06-10/service-2.json
2024-01-31 11:30:40,664 - MainThread - botocore.hooks - DEBUG - Event building-command-table.sso: calling handler <function add_sso_commands at 0x7f602b915120>
2024-01-31 11:30:40,665 - MainThread - botocore.hooks - DEBUG - Event building-command-table.sso: calling handler <function add_waiters at 0x7f602b119440>
2024-01-31 11:30:40,671 - MainThread - botocore.hooks - DEBUG - Event building-command-table.sso: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x7f602b1cc850>>
2024-01-31 11:30:40,671 - MainThread - botocore.hooks - DEBUG - Event building-command-table.sso_login: calling handler <function add_waiters at 0x7f602b119440>
2024-01-31 11:30:40,671 - MainThread - botocore.hooks - DEBUG - Event building-command-table.sso_login: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x7f602b1cc850>>
2024-01-31 11:30:40,672 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.login.no-browser: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f602b1cd610>
2024-01-31 11:30:40,672 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.login: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f602c555950>
2024-01-31 11:30:40,672 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.login.sso-session: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f602b1cd610>
2024-01-31 11:30:40,672 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.login: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f602c555950>
2024-01-31 11:30:40,673 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.15.15/dist/awscli/botocore/data/endpoints.json
2024-01-31 11:30:40,684 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x7f602e9760c0>
2024-01-31 11:30:40,684 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.15.15/dist/awscli/botocore/data/sso-oidc/2019-06-10/service-2.json
2024-01-31 11:30:40,690 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.15.15/dist/awscli/botocore/data/sso-oidc/2019-06-10/endpoint-rule-set-1.json
2024-01-31 11:30:40,691 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.15.15/dist/awscli/botocore/data/partitions.json
2024-01-31 11:30:40,691 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.sso-oidc: calling handler <function add_generate_presigned_url at 0x7f602edc00e0>
2024-01-31 11:30:40,691 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for sso-oidc via: environment_service
2024-01-31 11:30:40,691 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for sso-oidc via: environment_global
2024-01-31 11:30:40,691 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for sso-oidc via: config_service
2024-01-31 11:30:40,691 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for sso-oidc via: config_global
2024-01-31 11:30:40,691 - MainThread - botocore.configprovider - DEBUG - No configured endpoint found.
2024-01-31 11:30:40,693 - MainThread - botocore.endpoint - DEBUG - Setting oidc timeout as (60, 60)
2024-01-31 11:30:40,695 - MainThread - botocore.regions - DEBUG - Calling endpoint provider with parameters: {'Region': 'eu-central-1', 'UseDualStack': False, 'UseFIPS': False}
2024-01-31 11:30:40,695 - MainThread - botocore.regions - DEBUG - Endpoint provider result: https://oidc.eu-central-1.amazonaws.com
2024-01-31 11:30:40,695 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.sso-oidc.StartDeviceAuthorization: calling handler <function base64_decode_input_blobs at 0x7f602b18ede0>
2024-01-31 11:30:40,695 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.sso-oidc.StartDeviceAuthorization: calling handler <function generate_idempotent_uuid at 0x7f602e994400>
2024-01-31 11:30:40,695 - MainThread - botocore.hooks - DEBUG - Event before-call.sso-oidc.StartDeviceAuthorization: calling handler <function inject_api_version_header_if_needed at 0x7f602e995ee0>
2024-01-31 11:30:40,696 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=StartDeviceAuthorization) with params: {'url_path': '/device_authorization', 'query_string': {}, 'method': 'POST', 'headers': {'Content-Type': 'application/json', 'User-Agent': 'aws-cli/2.15.15 Python/3.11.6 Linux/5.15.133.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.22 prompt/off command/sso.login'}, 'body': b'{"clientId": "Ww.....CUTT", "clientSecret": "eyJraWQiOiJr.........CUT", "startUrl": "https://gardener-live.accounts.ondemand.com/saml2/idp/sso?sp=iaas-aws-live"}', 'url': 'https://oidc.eu-central-1.amazonaws.com/device_authorization', 'context': {'client_region': 'eu-central-1', 'client_config': <botocore.config.Config object at 0x7f602911cfd0>, 'has_streaming_input': False, 'auth_type': 'none'}}
2024-01-31 11:30:40,696 - MainThread - botocore.hooks - DEBUG - Event request-created.sso-oidc.StartDeviceAuthorization: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7f6029d408d0>>
2024-01-31 11:30:40,696 - MainThread - botocore.hooks - DEBUG - Event choose-signer.sso-oidc.StartDeviceAuthorization: calling handler <function set_operation_specific_signer at 0x7f602e9942c0>
2024-01-31 11:30:40,696 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://oidc.eu-central-1.amazonaws.com/device_authorization, headers={'Content-Type': b'application/json', 'User-Agent': b'aws-cli/2.15.15 Python/3.11.6 Linux/5.15.133.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.22 prompt/off command/sso.login', 'Content-Length': '2219'}>
2024-01-31 11:30:40,696 - MainThread - botocore.httpsession - DEBUG - Certificate path: /usr/local/aws-cli/v2/2.15.15/dist/awscli/botocore/cacert.pem
2024-01-31 11:30:40,696 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): oidc.eu-central-1.amazonaws.com:443
2024-01-31 11:30:41,085 - MainThread - urllib3.connectionpool - DEBUG - https://oidc.eu-central-1.amazonaws.com:443 "POST /device_authorization HTTP/1.1" 400 65
2024-01-31 11:30:41,085 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Wed, 31 Jan 2024 10:30:45 GMT', 'Content-Type': 'application/json', 'Content-Length': '65', 'Connection': 'keep-alive', 'x-amzn-RequestId': 'a12f9806-0678-4073-8b44-4d77be9e8df2', 'x-amzn-ErrorType': 'InvalidRequestException:http://internal.amazon.com/coral/com.amazonaws.sso.oidc/'}
2024-01-31 11:30:41,085 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"error":"invalid_request","error_description":"Invalid request"}'
2024-01-31 11:30:41,086 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Wed, 31 Jan 2024 10:30:45 GMT', 'Content-Type': 'application/json', 'Content-Length': '65', 'Connection': 'keep-alive', 'x-amzn-RequestId': 'a12f9806-0678-4073-8b44-4d77be9e8df2', 'x-amzn-ErrorType': 'InvalidRequestException:http://internal.amazon.com/coral/com.amazonaws.sso.oidc/'}
2024-01-31 11:30:41,086 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"error":"invalid_request","error_description":"Invalid request"}'
2024-01-31 11:30:41,086 - MainThread - botocore.hooks - DEBUG - Event needs-retry.sso-oidc.StartDeviceAuthorization: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x7f602911edd0>>
2024-01-31 11:30:41,086 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2024-01-31 11:30:41,086 - MainThread - botocore.hooks - DEBUG - Event after-call.sso-oidc.StartDeviceAuthorization: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x7f602911e810>>
2024-01-31 11:30:41,087 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "awscli/clidriver.py", line 460, in main
  File "awscli/clidriver.py", line 595, in __call__
  File "awscli/customizations/commands.py", line 205, in __call__
  File "awscli/customizations/sso/login.py", line 47, in _run_main
  File "awscli/customizations/sso/utils.py", line 72, in do_sso_login
  File "awscli/botocore/utils.py", line 3259, in fetch_token
  File "awscli/botocore/utils.py", line 3244, in _token
  File "awscli/botocore/utils.py", line 3159, in _poll_for_token
  File "awscli/botocore/utils.py", line 3136, in _authorize_client
  File "awscli/botocore/client.py", line 357, in _api_call
  File "awscli/botocore/client.py", line 724, in _make_api_call
botocore.errorfactory.InvalidRequestException: An error occurred (InvalidRequestException) when calling the StartDeviceAuthorization operation:

An error occurred (InvalidRequestException) when calling the StartDeviceAuthorization operation:

Reproduction Steps

❯ aws configure sso-session
SSO session name: my-sso
SSO start URL [None]: https://gardener-live.accounts.ondemand.com/saml2/idp/sso?sp=iaas-aws-live
SSO region [None]: eu-central-1
SSO registration scopes [sso:account:access]:

Completed configuring SSO session: my-sso
Run the following to login and refresh access token for this session:

aws sso login --sso-session my-sso

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.15.15 Python/3.11.6 Linux/5.15.133.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.22 prompt/off

Environment details (OS name and version, etc.)

WSL2 (Ubuntu 22.04.3 LTS), Windows 11

kyoh86 commented 3 months ago

I have encountered similar problems. I noticed that xdg-open, which should not be available in WSL, has been installed, and that AWS-CLI is calling xdg-open and losing response. So I uninstalled xdg-open and solved the problem. I hope this helps to solve the problem.

asaf400 commented 2 months ago

@kyoh86 Thanks, uninstalling xdg-open via yum remove xdg-utils worked for me after multiple other attempts to me it work..

What I tried before: for some reason under my WSL2 fedora 39, any xdg command hangs indefinitely, and even trying to override it by creating /root/.local/bin/xdg-open with content:

#!/bin/sh
exec /usr/bin/gio open $@

didn't help.. wslu installed as well, bin/gio is part of glib2, and to set it's browser is gio mime x-scheme-handler/https chrome.exe.desktop located here /usr/share/applications/chrome.exe.desktop

kellertk commented 1 month ago

This is an artifact of running under WSL2. On regular Linux, xdg-open tries to open a link in the user's default browser, but usually there is no browser app installed in the WSL environment to open. You can get around this by setting a BROWSER environment variable, such as 

export BROWSER='/mnt/c/Users/kellertk/AppData/Local/Google/Chrome/Application/chrome'

Now xdg-open works as expected. You can add this to your ~/.bashrc, or you can simply uninstall xdg-utils.

Irene2k11 commented 1 month ago

This is an artifact of running under WSL2. On regular Linux, xdg-open tries to open a link in the user's default browser, but usually there is no browser app installed in the WSL environment to open. You can get around this by setting a BROWSER environment variable, such as

export BROWSER='/mnt/c/Users/kellertk/AppData/Local/Google/Chrome/Application/chrome'

Now xdg-open works as expected. You can add this to your ~/.bashrc, or you can simply uninstall xdg-utils.

This is how I used to do it in Fedora 35, and and earlier versions all around, but something in recent versions of something became incompatible.. even xdg-settings (get|set) default-web-browser hangs