Closed dspaxton closed 3 years ago
It seems like the git-remote-helper for codecommit works with AWS SSO out of box with botocore 2.0.0 (which is running AWS CLI V2). However, until this botocore version becomes publicly available we won't be able to support SSO credentials.
Is there any workaround to make single sign on work? we are planning to deploy Control Tower in several customers and CodeCommit usage with single sign on would be great.
Is there any workaround to make single sign on work? we are planning to deploy Control Tower in several customers and CodeCommit usage with single sign on would be great.
I haven't tested this workaround but it looks like it could work https://github.com/benkehoe/aws-sso-credential-process.
A harder workaround that I have tested involves cloning the v2 branch of botocore https://github.com/boto/botocore/tree/v2 and installing it as a pip module. However, this is potentially dangerous because of backward incompatibility between the current botocore version and the v2 branch that could break some of your workflows.
It looks like as of the current botocore version this issue is fixed. Please update your botocore version to the latest and try running sso with the git-remote-helper
I get this message when I run fetch:
'Namespace' object has no attribute 'cli_binary_format'
remote: Counting objects: 215, done.
Receiving objects: 100% (215/215), 3.39 MiB | 11.06 MiB/s, done.
Resolving deltas: 100% (135/135), completed with 52 local objects.
...
Otherwise it works fine.
It's a general issue with the current implementation of SSO credentials on the AWS CLI v2. I created an npm package as a temporary workaround: https://github.com/ryansonshine/aws-sso-creds-helper
@dytoto Can you elaborate what you mean with "current botocore version"? As far as I can see, there is still no v2 released.
@onitake as of version 1.17.0 of botocore this issue should be resolved. The git-remote-codecommit requirements have also been updated to reflect this. Please try updating your botocore by using
pip install botocore --upgrade
Huh, you're right! When I tested this yesterday, it didn't work. But it did today.
In any case, Debian has 1.17.22 in bullseye/sid, so I can confirm that this version works.
Thanks!
In case like this one or other similar cases where AWS SSO result in incompatibilities with your library and you don't want to play with workarounds or complicated fixes, maybe you can give a try to our open-source project: https://github.com/Noovolari/leapp. It deals with AWS SSO authentication and accounts/roles retrieval then it creates short-lived temporary credentials in .aws/credentials to maximize compatibility with third party tools / sdks.
With the GA of AWS CLI V2, it would be good if the plugin can be updated to make use of it for customers who have switched to AWS SSO for authentication.