keithrobbo
commented
10 months ago Ok, For anybody's info, I've found a simple workaround for this that doesn't require setting up a permanent IAM user or resorting to using the root user. Using the AWS SSO access portal select your master account for which you should have AdministratorAccess permission, then select the 'Command line or programmatic access' link. Then select what platform you are using for your CLI. Then choose 'option 1 Set AWS environment variables (Short-term credentials)' copy and paste the environment variables into your CLI and run them. You will then effectively have a temporary IAM user profile. Running the org-formation init command will now work successfully!
nlang
OlafConijn
Subject of the issue
Can't init org-formation using an SSO profile in CLI.
Your environment
Steps to reproduce
Configure AWS SSO in Windows CMD CLI. Log in using an SSO session and profile. Run the command to initialise org-formation and generate an organization.yml file e.g.: org-formation init organization.yml --region eu-central-1
Expected behaviour
There should be no errors and a file organization.yml generated locally in user folder.
Actual behaviour
2 examples (difference is in how profile is selected in CLI: 1. Profile set to default. 2. Profile explicitly added to command. Note that the profile used has full administrator access as an (AWS IAM Identity Centre user) to the management/root AWS account for AWS Organisations. The profile is able to successfully perform administrative tasks from the CLI such as e.g. creating and deleting S3 buckets, without any issue.
1. C:\Users\keith>set aws_profile=kmr-root C:\Users\keith>org-formation init organization.yml --region eu-west-2 Error: ENOENT: no such file or directory, open 'C:\Users\keith.aws\credentials' ERROR: unexpected error occurred... EC2 Metadata roleName request returned error (use option --print-stack to print stack)
The error is true in that there is no 'credentials' file (or folder) in my .aws folder, just a file called config, which has all of the SSO profile and session configs.
2. C:\Users\keith>org-formation init organization.yml --region eu-west-2 --profile kmr-root Error: No sso_start_url set for profile kmr-root ERROR: unexpected error occurred... Profile kmr-root did not include credential process (use option --print-stack to print stack)
Now I have used org-formation successfully before, but that was using the CLI with an IAM user profile, with regular access key credentials. Is the issue here that I am using an SSO profile? I don't really want to use the root user of the management AWS account, or have to create an admin IAM user, but is this something I will need to do for org-formation to actually work?