search

aws / aws-tools-for-powershell

The AWS Tools for PowerShell lets developers and administrators manage their AWS services from the PowerShell scripting environment.
Apache License 2.0
235 stars 77 forks source link

Get-CAAuthorizationToken is throwing error #288

Closed rjacquemin closed 1 year ago

rjacquemin commented 1 year ago

Describe the bug

using powershelltool for some CI scripts since a while

Everything was working fine but suddenly Get-CAAuthorizationToken is showing error After some investigation look like a breaking change was introduce in version 4.1.165

Error message 

Get-CAAuthorizationToken: Value cannot be null. (Parameter 'Options property cannot be empty: ClientName')

Expected Behavior

Considering we are logged in with AWS SSO We should be able to get the Auth Token without pbm using aws powershel tool

aws sso login
aws codeartifact login --tool dotnet --repository xxxx  --domain xxxx --domain-owner xxxxx 

Install-Module -Name AWS.Tools.Installer -Force -MaximumVersion 1.0.2.4
Install-AWSToolsModule AWS.Tools.SSO -CleanUp -Force 
Install-AWSToolsModule AWS.Tools.SSOOIDC -CleanUp -Force 
Install-AWSToolsModule AWS.Tools.CodeArtifact -CleanUp -Force 
Import-Module -Name AWS.Tools.SSO, AWS.Tools.SSOOIDC
Get-CAAuthorizationToken -Region us-east-1 -Domain "xxxxx" -DomainOwner "xxxxx" -Select "AuthorizationToken"

It was working before but stop working lately

Current Behavior

to facilitate the repro i used docker image 

aws sso login
aws codeartifact login --tool dotnet --repository xxxx  --domain xxxx --domain-owner xxxxx 

docker run --rm -it -v C:\Users\xxxxxx/.aws:/root/.aws:ro mcr.microsoft.com/dotnet/core/sdk:3.1 pwsh
Install-Module -Name AWS.Tools.Installer -Force -MaximumVersion 1.0.2.4
Install-AWSToolsModule AWS.Tools.SSO -CleanUp -Force 
Install-AWSToolsModule AWS.Tools.SSOOIDC -CleanUp -Force 
Install-AWSToolsModule AWS.Tools.CodeArtifact -CleanUp -Force 
Import-Module -Name AWS.Tools.SSO, AWS.Tools.SSOOIDC
Get-CAAuthorizationToken -Region us-east-1 -Domain "xxxxx" -DomainOwner "xxxxx" -Select "AuthorizationToken"

Giving following error 

Get-CAAuthorizationToken: Value cannot be null. (Parameter 'Options property cannot be empty: ClientName')

Reproduction Steps

Checking with version 4.1.164 is success 

Install-Module -Name AWS.Tools.Installer -Force -MaximumVersion 1.0.2.4
Install-AWSToolsModule AWS.Tools.SSO -CleanUp -Force -MaximumVersion 4.1.164
Install-AWSToolsModule AWS.Tools.SSOOIDC -CleanUp -Force -MaximumVersion 4.1.164
Install-AWSToolsModule AWS.Tools.CodeArtifact -CleanUp -Force -MaximumVersion 4.1.164
Import-Module -Name AWS.Tools.SSO, AWS.Tools.SSOOIDC

Get-CAAuthorizationToken -Region us-east-1 -Domain "xxxxx" -DomainOwner "xxxxx" -Select "AuthorizationToken"

Checking with latest is Failed

Install-Module -Name AWS.Tools.Installer -Force -MaximumVersion 1.0.2.4
Install-AWSToolsModule AWS.Tools.SSO -CleanUp -Force 
Install-AWSToolsModule AWS.Tools.SSOOIDC -CleanUp -Force 
Install-AWSToolsModule AWS.Tools.CodeArtifact -CleanUp -Force 
Import-Module -Name AWS.Tools.SSO, AWS.Tools.SSOOIDC

Get-CAAuthorizationToken -Region us-east-1 -Domain "xxxxx" -DomainOwner "xxxxx" -Select "AuthorizationToken"

Possible Solution

No response

Additional Information/Context

No response

AWS Tools for PowerShell version used

AWS.Tools.Installer 1.0.2.4 AWS.Tools.SSO -CleanUp -Force -MaximumVersion 4.1.164 vs latest AWS.Tools.SSOOIDC -CleanUp -Force -MaximumVersion 4.1.164 vs latest AWS.Tools.CodeArtifact -CleanUp -Force -MaximumVersion 4.1.164 vs latest

PowerShell version used

Name Value

PSVersion 7.0.12 PSEdition Core GitCommitId 7.0.12 OS Linux 5.10.102.1-microsoft-standard-WSL2 #1 SMP Wed Mar 2 00:30:59 UTC 2022 Platform Unix PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0

Operating System and version

Windows 10

ashishdhingra commented 1 year ago

Based on sample .NET code at Single sign-on (SSO) with the AWS SDK for .NET,

@rjacquemin Please confirm the following:

Thanks, Ashish

rjacquemin commented 1 year ago

See an example of the aws sso profile config

[profile default]
sso_start_url = https://xxxxx.awsapps.com/start#/
sso_region = us-east-1
sso_account_id = xxxxxxxxxxxx
sso_role_name = xxxxxxxxxxxxx
region = us-east-1

You mentioned the error occurred recently and the logic was working fine earlier. You are asserting that the possible breaking change was introduced in version 4.1.165 which was released a month ago. Is this correct and that you noticed the recurring issue only until recently, and it works fine with version 4.1.164?

yes I can confirm 4.1.164 is working like before

ashishdhingra commented 1 year ago

Hi @rjacquemin,

Good afternoon.

If we follow the steps properly, the issue is not reproducible in the latest AWS Tools for PowerShell version. The issue occurs if aws sso login command is not executed before calling Get-CAAuthorizationToken. For testing, I did not use the said Docker image, instead I tested it locally. Here is the screenshot:

Screen Shot 2022-10-07 at 12 35 04 PM

Few points to notice:

Thanks, Ashish

github-actions[bot] commented 1 year ago

This issue has not received a response in 5 days. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.

rjacquemin commented 1 year ago

You are running the Get-CAAuthorizationToken in the said docker image. Do you have AWS CLI installed in the docker image and executed aws sso login in your image?

yes we are installing AWS CLI on the docker image we are doing sso login on the host machine then mount the credentials volume on the docker

so the docker have access to the sso credentials 

aws sso login
aws codeartifact login --tool dotnet --repository xxxx  --domain xxxx --domain-owner xxxxx 

docker run --rm -it -v C:\Users\xxxxxx/.aws:/root/.aws:ro mcr.microsoft.com/dotnet/core/sdk:3.1 pwsh

Install-Module -Name AWS.Tools.Installer -Force -MaximumVersion 1.0.2.4
Install-AWSToolsModule AWS.Tools.SSO -CleanUp -Force 
Install-AWSToolsModule AWS.Tools.SSOOIDC -CleanUp -Force 
Install-AWSToolsModule AWS.Tools.CodeArtifact -CleanUp -Force 
Import-Module -Name AWS.Tools.SSO, AWS.Tools.SSOOIDC

Get-CAAuthorizationToken -Region us-east-1 -Domain "xxxxx" -DomainOwner "xxxxx" -Select "AuthorizationToken"

But it was working fine before As mentioned issue started something like a month ago I was able to repro with version https://www.powershellgallery.com/packages/AWS.Tools.CodeArtifact/4.1.165

You may also install AWS.Tools.SecurityToken and execute Get-STSCallerIdentity to verify if you are actually logged in to your SSO profile and caller identity of the credentials.

will check those maybe can give us more info

rjacquemin commented 1 year ago

If using AWS CLI and .NET application, then client name need not be explicitly set.

what is the ClientName parameter and what should be

checking the official doc https://docs.aws.amazon.com/powershell/latest/reference/items/Get-CAAuthorizationToken.html

we are talking about ClientConfig ?

ashishdhingra commented 1 year ago

@rjacquemin ClientName is set internally after while successful SSO credentials resolution. It's not related to ClientConfig. I'm still unsure on how you would be able to simply mount the credentials volume in docker and make it work. Were you able to get the result of Get-STSCallerIdentity inside docker image?

Thanks, Ashish

rjacquemin commented 1 year ago

see no pbm using 4.1.164 image

see with latest packages image