search

aws / aws-sam-cli

CLI tool to build, test, debug, and deploy Serverless applications using AWS SAM
https://aws.amazon.com/serverless/sam/
Apache License 2.0
6.49k stars 1.17k forks source link

Bug: Not able to use multiple SSO profiles for aws-sdk client credentials #6397

Open nonken opened 9 months ago

nonken commented 9 months ago

Description:

I have a lambda that is accessing several services in different accounts using the IAM assume role feature in production. When developing locally I am using AWS SSO and have configured a session as part of several profiles. It seems like that I can only pass in one profile that then gets resolved to a AWS_SESSION_TOKEN, AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

It seems like I am unable to access several profiles so that my AWS clients can fetch their respectively required credentials.

Steps to reproduce:

Create a Lambda that instantiates two clients that each get credentials from a different SSO profile

const { fromSSO } = require('@aws-sdk/credential-providers')
fromSSO({
  ssoStartUrl: config.SSO_START_URL,
  ssoAccountId: config.SSO_ACCOUNT,
  profile: config.SSO_PROFILE,
  ssoRoleName: config.SSO_ROLE_NAME,
  ssoRegion: config.REGION,
  ssoSession: 'session'
})

the lambda env will contain AWS_SESSION_TOKEN, AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY but only for the profile that is passed in via --profile.

Expected result:

I should be able to get credentials for several profiles as I want to be able to use fromSSO. Maybe I am misunderstanding the use of SSO credentials here. Any input would be very appreciated.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

  1. OS: OSX
  2. sam --version: 1.103.0
  3. AWS region: us-east-1

Paste the output of sam --info here

{
  "version": "1.103.0",
  "system": {
    "python": "3.8.13",
    "os": "macOS-14.0-x86_64-i386-64bit"
  },
  "additional_dependencies": {
    "docker_engine": "24.0.6",
    "aws_cdk": "2.92.0 (build bf62e55)",
    "terraform": "Not available"
  },
  "available_beta_feature_env_vars": [
    "SAM_CLI_BETA_FEATURES",
    "SAM_CLI_BETA_BUILD_PERFORMANCE",
    "SAM_CLI_BETA_TERRAFORM_SUPPORT",
    "SAM_CLI_BETA_RUST_CARGO_LAMBDA"
  ]
}

Add --debug flag to command you are running

nonken commented 9 months ago

I think it currently fetches the keys for a particular profile here https://github.com/aws/aws-sam-cli/blob/749aa3daf12a85174fbdffcd0ed2d4a7dbc09f6b/samcli/commands/local/lib/local_lambda.py#L314

I wonder what the approach is when I need to access multiple profiles for multiple clients that access different accounts.

sriram-mv commented 9 months ago

This is an interesting use case! Though there maybe some ways address this, they don't seem particularly secure eg: building our invoke image and supplying it with --invoke-image

Are you looking into this for start-lambda in particular?

nonken commented 9 months ago

Hi @sriram-mv, I am using sam local invoke to invoke a lambda that was built through a CDK stack. The lambda uses multiple AWS SDK clients with different SSO profiles (locally) and assumed roles (in prod) in different accounts. For now I have written my own invoke cli that uses the same docker image. It would be really nice though to use sam cli for this if possible. Let me know if you need more info