Can't use AWS SSO auth with sso-session profile

Overview of the Issue

There are two ways you can configure an AWS profile using AWS SSO / AWS IAM Identity Center authentication :

Packer can make use of the second, but not the first.

Plugin and Packer version

Packer v1.8.6
amazon plugin : 1.2.1
awscli : aws-cli/2.9.12 Python/3.9.11 Linux/6.2.8-200.fc37.x86_64 exe/x86_64.fedora.37 prompt/off

Simplified Packer Buildfile

packer {
  required_plugins {
    amazon = {
      version = ">= 1.2.1"
      source  = "github.com/hashicorp/amazon"
    }
  }
}

source "amazon-ebs" "ubuntu" {

  profile = "tooling-old" ### IMPORTANT LINE

  region = "eu-west-3" # Not related to sso region, this is the region where aws resources get created
  source_ami_filter {
    filters = {
      name                = "ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"
      root-device-type    = "ebs"
      virtualization-type = "hvm"
    }
    owners      = ["099720109477"] # Official Canonical provider
    most_recent = true
  }
  instance_type   = "t3a.large"
  ssh_username    = "ubuntu"
  ami_name        = "notused"
  skip_create_ami = true # we're just testing here
}

build {
  name = "test"
  sources = [
    "source.amazon-ebs.ubuntu"
  ]

  provisioner "shell" {
    inline = ["echo foo"]
  }
}

Corresponding ~/.aws/config :

# Common SSO configuration, shared between all profiles requiring SSO
[sso-session my-common-sso-session]
sso_start_url = https://d-<something>.awsapps.com/start
sso_region = <your-sso-region>

# SSO profile leveraging common SSO configuration
# We could create many other profiles, we'd be able to authenticate to all of them simultaneously
[profile tooling-new]
sso_account_id = <your-account-id>
sso_role_name = <your-sso-role>
sso_session = my-common-sso-session

# "old" profile, without SSO session
# With this configuration, you need to periodically re-authenticate to each profile
[profile tooling-old]
sso_account_id = <your-account-id>
sso_role_name = <your-sso-role>
sso_start_url = https://d-<something>.awsapps.com/start
sso_region = <your-sso-region>

Reproduction Steps

Create an AWS account and organization
Enable IAM Identity center and configure it so that you can authenticate as administrator to an AWS account (cf here)
Create ~/.aws/config based on the template above, filling in info from your own SSO setup
aws sso login --profile tooling-old : logs you in to the tooling-old profile
aws sso login --sso-session my-common-sso-session : logs you in to the my-common-sso-session sso session, used by the tooling-new profile
aws sts get-caller-identity --profile tooling-old : check that your tooling-old configuration and auth is valid, by displaying its identity
aws sts get-caller-identity --profile tooling-new : check that your tooling-new configuration and auth is valid, by displaying its identity
At this point we know that you're properly authenticated through both configurations. Now, let's try to make packer use them
cd into an empty directory, and put the configuration above in a .hcl file

Run packer :


$ packer build .
test.amazon-ebs.ubuntu: output will be in this color.

==> test.amazon-ebs.ubuntu: Prevalidating any provided VPC information ==> test.amazon-ebs.ubuntu: Prevalidating AMI Name: notused test.amazon-ebs.ubuntu: Found Image ID: ami-05e8e219ac7e82eba ==> test.amazon-ebs.ubuntu: Creating temporary keypair: packer_64258c2b-0989-a7c1-f3d7-d03c32922054 ==> test.amazon-ebs.ubuntu: Creating temporary security group for this instance: packer_64258c2c-6278-a375-fc83-b8e8c34d2618 ==> test.amazon-ebs.ubuntu: Authorizing access to port 22 from [0.0.0.0/0] in the temporary security groups... ==> test.amazon-ebs.ubuntu: Launching a source AWS instance... test.amazon-ebs.ubuntu: Instance ID: i-0440cd6048bbf47f0 ==> test.amazon-ebs.ubuntu: Waiting for instance (i-0440cd6048bbf47f0) to become ready... ==> test.amazon-ebs.ubuntu: Using SSH communicator to connect: 13.39.156.128 ==> test.amazon-ebs.ubuntu: Waiting for SSH to become available... ==> test.amazon-ebs.ubuntu: Connected to SSH! ==> test.amazon-ebs.ubuntu: Provisioning with shell script: /tmp/packer-shell156204520 test.amazon-ebs.ubuntu: foo ==> test.amazon-ebs.ubuntu: Stopping the source instance... test.amazon-ebs.ubuntu: Stopping instance ==> test.amazon-ebs.ubuntu: Waiting for the instance to stop... ==> test.amazon-ebs.ubuntu: Skipping AMI creation... ==> test.amazon-ebs.ubuntu: Skipping AMI region copy... ==> test.amazon-ebs.ubuntu: Skipping Enable AMI deprecation... ==> test.amazon-ebs.ubuntu: Skipping AMI modify attributes... ==> test.amazon-ebs.ubuntu: Skipping AMI create tags... ==> test.amazon-ebs.ubuntu: Terminating the source AWS instance... ==> test.amazon-ebs.ubuntu: Cleaning up any extra volumes... ==> test.amazon-ebs.ubuntu: No volumes to clean up, skipping ==> test.amazon-ebs.ubuntu: Deleting temporary security group... ==> test.amazon-ebs.ubuntu: Deleting temporary keypair... Build 'test.amazon-ebs.ubuntu' finished after 1 minute 48 seconds.

==> Wait completed after 1 minute 48 seconds

==> Builds finished but no artifacts were created.

* Change the profile in packer config from `tooling-old` to `tooling-new`
* Re-run packer :

$ packer build . test.amazon-ebs.ubuntu: output will be in this color.

Build 'test.amazon-ebs.ubuntu' errored after 662 microseconds: Error creating AWS session: profile "tooling-new" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

==> Wait completed after 687 microseconds

==> Some builds didn't complete successfully and had errors: --> test.amazon-ebs.ubuntu: Error creating AWS session: profile "tooling-new" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

==> Builds finished but no artifacts were created.

<details>
<summary>Debug log</summary>

$ PACKER_LOG=1 packer build . 2023/03/30 15:56:25 [INFO] Packer version: 1.8.6 [go1.18.9 linux amd64] 2023/03/30 15:56:25 [TRACE] discovering plugins in /usr/bin 2023/03/30 15:56:25 [TRACE] discovering plugins in /home/toadjaune/.config/packer/plugins 2023/03/30 15:56:25 [DEBUG] Discovered plugin: amazon = /home/toadjaune/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.1.6_x5.0_linux_amd64 2023/03/30 15:56:25 [DEBUG] Discovered plugin: amazon = /home/toadjaune/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.1_x5.0_linux_amd64 2023/03/30 15:56:25 [DEBUG] Discovered plugin: docker = /home/toadjaune/.config/packer/plugins/github.com/hashicorp/docker/packer-plugin-docker_v1.0.8_x5.0_linux_amd64 2023/03/30 15:56:25 [INFO] found external [chroot ebs ebssurrogate ebsvolume instance] builders from amazon plugin 2023/03/30 15:56:25 [INFO] found external [import] post-processors from amazon plugin 2023/03/30 15:56:25 found external [ami parameterstore secretsmanager] datasource from amazon plugin 2023/03/30 15:56:25 [INFO] found external [-packer-default-plugin-name-] builders from docker plugin 2023/03/30 15:56:25 [INFO] found external [import push save tag] post-processors from docker plugin 2023/03/30 15:56:25 [TRACE] discovering plugins in . 2023/03/30 15:56:25 [INFO] PACKER_CONFIG env var not set; checking the default config file path 2023/03/30 15:56:25 [INFO] PACKER_CONFIG env var set; attempting to open config file: /home/toadjaune/.packerconfig 2023/03/30 15:56:25 [WARN] Config file doesn't exist: /home/toadjaune/.packerconfig 2023/03/30 15:56:25 [INFO] Setting cache directory: /home/toadjaune/.cache/packer 2023/03/30 15:56:25 [TRACE] listing potential installations for "github.com/hashicorp/amazon" that match ">= 1.2.1". plugingetter.ListInstallationsOptions{FromFolders:[]string{"/usr/bin/packer", ".", "/home/toadjaune/.config/packer/plugins"}, BinaryInstallationOptions:plugingetter.BinaryInstallationOptions{APIVersionMajor:"5", APIVersionMinor:"0", OS:"linux", ARCH:"amd64", Ext:"", Checksummers:[]plugingetter.Checksummer{plugingetter.Checksummer{Type:"sha256", Hash:(*sha256.digest)(0xc000132300)}}}} 2023/03/30 15:56:25 [TRACE] version "v1.1.6" of file "/home/toadjaune/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.1.6_x5.0_linux_amd64" does not match constraint ">= 1.2.1" 2023/03/30 15:56:26 [TRACE] Found the following "github.com/hashicorp/amazon" installations: [{/home/toadjaune/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.1_x5.0_linux_amd64 v1.2.1}] 2023/03/30 15:56:26 [INFO] found external [chroot ebs ebssurrogate ebsvolume instance] builders from amazon plugin 2023/03/30 15:56:26 [INFO] found external [import] post-processors from amazon plugin 2023/03/30 15:56:26 found external [ami parameterstore secretsmanager] datasource from amazon plugin 2023/03/30 15:56:26 [TRACE] Starting external plugin /home/toadjaune/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.1_x5.0_linux_amd64 start builder ebs 2023/03/30 15:56:26 Starting plugin: /home/toadjaune/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.1_x5.0_linux_amd64 []string{"/home/toadjaune/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.1_x5.0_linux_amd64", "start", "builder", "ebs"} 2023/03/30 15:56:26 Waiting for RPC address for: /home/toadjaune/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.1_x5.0_linux_amd64 2023/03/30 15:56:26 packer-plugin-amazon_v1.2.1_x5.0_linux_amd64 plugin: 2023/03/30 15:56:26 Plugin address: unix /tmp/packer-plugin894048634 2023/03/30 15:56:26 packer-plugin-amazon_v1.2.1_x5.0_linux_amd64 plugin: 2023/03/30 15:56:26 Waiting for connection... 2023/03/30 15:56:26 Received unix RPC address for /home/toadjaune/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.1_x5.0_linux_amd64: addr is /tmp/packer-plugin894048634 2023/03/30 15:56:26 packer-plugin-amazon_v1.2.1_x5.0_linux_amd64 plugin: 2023/03/30 15:56:26 Serving a plugin connection... 2023/03/30 15:56:26 packer-plugin-amazon_v1.2.1_x5.0_linux_amd64 plugin: 2023/03/30 15:56:26 [TRACE] starting builder ebs 2023/03/30 15:56:26 packer-plugin-amazon_v1.2.1_x5.0_linux_amd64 plugin: 2023/03/30 15:56:26 [INFO] (aws): No AWS timeout and polling overrides have been set. Packer will default to waiter-specific delays and timeouts. If you would like to customize the length of time between retries and max number of retries you may do so by setting the environment variables AWS_POLL_DELAY_SECONDS and AWS_MAX_ATTEMPTS or the configuration options aws_polling_delay_seconds and aws_polling_max_attempts to your desired values. 2023/03/30 15:56:26 [TRACE] Starting internal plugin packer-provisioner-shell 2023/03/30 15:56:26 Starting plugin: /usr/bin/packer []string{"/usr/bin/packer", "plugin", "packer-provisioner-shell"} 2023/03/30 15:56:26 Waiting for RPC address for: /usr/bin/packer 2023/03/30 15:56:26 packer-provisioner-shell plugin: [INFO] Packer version: 1.8.6 [go1.18.9 linux amd64] 2023/03/30 15:56:26 packer-provisioner-shell plugin: [INFO] PACKER_CONFIG env var not set; checking the default config file path 2023/03/30 15:56:26 packer-provisioner-shell plugin: [INFO] PACKER_CONFIG env var set; attempting to open config file: /home/toadjaune/.packerconfig 2023/03/30 15:56:26 packer-provisioner-shell plugin: [WARN] Config file doesn't exist: /home/toadjaune/.packerconfig 2023/03/30 15:56:26 packer-provisioner-shell plugin: [INFO] Setting cache directory: /home/toadjaune/.cache/packer 2023/03/30 15:56:26 packer-provisioner-shell plugin: args: []string{"packer-provisioner-shell"} 2023/03/30 15:56:26 packer-provisioner-shell plugin: Plugin address: unix /tmp/packer-plugin4171420712 2023/03/30 15:56:26 packer-provisioner-shell plugin: Waiting for connection... 2023/03/30 15:56:26 Received unix RPC address for /usr/bin/packer: addr is /tmp/packer-plugin4171420712 2023/03/30 15:56:26 packer-provisioner-shell plugin: Serving a plugin connection... 2023/03/30 15:56:26 Build debug mode: false 2023/03/30 15:56:26 Force build: false 2023/03/30 15:56:26 On error: 2023/03/30 15:56:26 Waiting on builds to complete... 2023/03/30 15:56:26 Starting build run: test.amazon-ebs.ubuntu 2023/03/30 15:56:26 Running builder: 2023/03/30 15:56:26 [INFO] (telemetry) Starting builder amazon-ebs.ubuntu test.amazon-ebs.ubuntu: output will be in this color.

2023/03/30 15:56:26 packer-plugin-amazon_v1.2.1_x5.0_linux_amd64 plugin: 2023/03/30 15:56:26 [INFO] Attempting to use session-derived credentials 2023/03/30 15:56:26 [INFO] (telemetry) ending amazon-ebs.ubuntu ==> Wait completed after 647 microseconds 2023/03/30 15:56:26 machine readable: error-count []string{"1"} ==> Some builds didn't complete successfully and had errors: 2023/03/30 15:56:26 machine readable: test.amazon-ebs.ubuntu,error []string{"Error creating AWS session: profile \"tooling-new\" is configured to use SSO but is missing required configuration: sso_region, sso_start_url"} ==> Builds finished but no artifacts were created. 2023/03/30 15:56:26 [INFO] (telemetry) Finalizing. Build 'test.amazon-ebs.ubuntu' errored after 620 microseconds: Error creating AWS session: profile "tooling-new" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

==> Wait completed after 647 microseconds

==> Builds finished but no artifacts were created. 2023/03/30 15:56:26 waiting for all plugin processes to complete... 2023/03/30 15:56:26 /home/toadjaune/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.1_x5.0_linux_amd64: plugin process exited 2023/03/30 15:56:26 /usr/bin/packer: plugin process exited

Operating system and Environment details

Fedora 37 (Workstation)

$ uname -a
Linux <hostname> 6.2.8-200.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 22 19:11:02 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Issue and fix hypothesis

Related issues :

https://github.com/hashicorp/packer-plugin-amazon/issues/304 might be the same issue. Unsure.
https://github.com/hashicorp/terraform/issues/32465 same issue on the S3 backend plugin for terraform

Considering how this is exactly the same issue as the terraform one linked above, it seems likely that the fix here would be similar. It would seem said fix is upgrading the AWS SDK used by packer.

hashicorp / packer-plugin-amazon