Closed natesilva closed 6 months ago
Hey @natesilva, have you tried following this recipe to configure a credential process https://docs.commonfate.io/granted/recipes/credential-process
You can configure a credential process on the profile and changing the sso args to be prefixed with granted ensures that sdks used Granted instead of trying to find the sso token in the default cache
Thank you, it works now. I missed that step apparently.
I am using
assume
to authenticate to my organization, which uses SSO.At the command-line, this works. But when I run an app that uses the AWS SDK for Node.js, v3, (
@aws-sdk/client-secrets-manager
) it fails to use my credentials and reports:I have to run the old
aws sso login
command to make it work.This is happening because
assume
has set theAWS_PROFILE
environment variable. The SDK uses this to look up the profile in.aws/config
, sees that it is an SSO-enabled profile, and looks for cached SSO credentials.Workarounds
AWS_PROFILE
environment variable. The SDK will use theAWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
andAWS_SESSION_TOKEN
as expected.fromEnv
(from@aws-sdk/credential-providers
). However, if you do this it won’t use the default credential provider chain -- which is a problem if your credentials may be coming from a different source once deployed.Is there any advice for how to deal with this? Can
assume
not setAWS_PROFILE
?