Open poornima-krishnasamy opened 8 months ago
Configuring aws cli config profile to use SSO
AWS docs states there are two ways to authenticate users with IAM Identity Center to get credentials to run AWS CLI commands through the config file:
SSO token provider configuration (recommended) – Extended session durations.
Legacy non-refreshable configuration – Uses a fixed, eight-hour session.
In both configurations, you need to sign in again when your session expires.
When running terraform using the recommended config, the following error occurs:
➜ vpc git:(main) ✗ terraform init
Initializing modules...
Downloading git::https://github.com/ministryofjustice/cloud-platform-terraform-route53-logs.git?ref=1.0.4 for route53_query_log...
- route53_query_log in .terraform/modules/route53_query_log
Downloading registry.terraform.io/terraform-aws-modules/s3-bucket/aws 3.15.1 for route53_query_log.s3_bucket_query_log...
- route53_query_log.s3_bucket_query_log in .terraform/modules/route53_query_log.s3_bucket_query_log
Initializing the backend...
╷
│ Error: error configuring S3 Backend: Error creating AWS session: profile "moj-cp" is configured to use SSO but is missing required configuration: sso_region, sso_start_url
The platform is still built on terraform v1.25
, and this version doesn't support the recommended config. We have to use legacy config for now.
We can start to use the up to date recommended config when we start to use terraform 1.6.0
- issue discussed in community thread
Working branch
Background
EKS aws-auth has the provision to add SSO Administrator role. Can Cloud Platform utlilize this provision and get rid of of individual IAM users added in the cluster config https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/aws-accounts/cloud-platform-aws/vpc/eks/cluster.tf#L195-L268
Guide on configuring SSO with admin role: https://aws.amazon.com/blogs/containers/a-quick-path-to-amazon-eks-single-sign-on-using-aws-sso/
If we can perform terraform and aws cli operations using the SSO, we would benefit from using short-lived creds and can get rid of our IAM users altogether. This will also avoid storing the long-term creds locally to perform these operations.
Questions / Assumptions
Definition of done