Unable to use in GitHub Codespaces

[Moulick]

Output of aws-sso version:

AWS SSO CLI Version 1.14.3 -- Copyright 2021-2023 Aaron Turner
f1574cff0d18ccb6edebe73383e389eae011b659 (v1.14.3) built at 2024-01-15T22:27:44+0000

Describe the bug: Trying to use aws-sso-cli in github codespaces. Trying to authenticate give the above error. aws configure sso opens a new tab/popup to click the allow access button.

To Reproduce:

1. Launch a new Github Codespace
2. Install aws-sso-cli
3. Run aws-sso list and go through the wizard
4. See error below

Expected behaviour: Open AWS login page to authorise

Current behaviour

@Moulick ➜ ~ $ aws-sso
Enter passphrase to unlock "/home/codespace/.aws-sso/secure": 

        Verify this code in your browser: XZST-WNRZ
FATAL   Unable to authenticate                        error="Unable to open URL with default browser: exec: \"xdg-open\": executable file not found in $PATH"
@Moulick ➜ ~ $ 

Desktop (please complete the following information):

• Github Codespaces

Contents of ~/.aws-sso/config.yaml:

SSOConfig:
    Default:
        SSORegion: eu-central-1
        StartUrl: https://dummy.awsapps.com/start
ConsoleDuration: 720
CacheRefresh: 168
UrlAction: open
LogLevel: error
HistoryLimit: 10
HistoryMinutes: 1440
ProfileFormat: "{{ FirstItem .AccountName (.AccountAlias | nospace) }}:{{ .RoleName }}"
FullTextSearch: true

[Moulick]

It seems there is a $BROWSER variable exported in Github Codespaces which is some script that handles URL opening nicely.

[synfinatic]

aws-sso knows nothing about the $BROWSER variable. Since you don't have xdg-open, you'll want to configure the browser manually per the docs: https://synfinatic.github.io/aws-sso-cli/config/#browser-urlaction-urlexeccommand

[Moulick]

Oh nice. Tried this now and got the following issue

UrlAction: exec
UrlExecCommand:
    - $BROWSER
    - "%s"

@Moulick ➜ ~ $ aws-sso list
WARNING The specified item could not be found in the keyring 
Enter passphrase to unlock "/home/codespace/.aws-sso/secure": 

        Verify this code in your browser: <redacted>
FATAL   Unable to authenticate                        error="Unable to exec `$BROWSER https://device.sso.eu-central-1.amazonaws.com/?user_code=<redacted>`: exec: \"$BROWSER\": executable file not found in $PATH"

[Moulick]

@Moulick ➜ ~ $ echo $BROWSER 
/vscode/bin/linux-x64/863d2581ecda6849923a2118d93a088b0745d9d6/bin/helpers/browser.sh

[Moulick]

I need a way to somehow expand shell variables, even something like $HOME or ~ to allow executing a script that I can write to handle running in Github Codespaces/Linux/MacOS

UrlExecCommand:
  - /bin/bash
  - '~/.aws-sso/open.sh'
  - "%s"

even something like this does not work :(

[synfinatic]

UrlExecCommand:
    - ~/bin/firefox.sh
    - "%s"

where contents of ~/bin/firefox.sh:

#!/bin/bash

/Applications/Firefox.app/Contents/MacOS/firefox $@

[Moulick]

:(

UrlAction: exec
UrlExecCommand:
  - ~/.aws-sso/open.sh
  - "%s"

~/.aws-sso/open.sh

#! /bin/bash

$BROWSER $@

Error:

FATAL   Unable to authenticate                        error="Unable to exec `~/.aws-sso/open.sh https://device.sso.eu-central-1.amazonaws.com/?user_code=<redacted>`: fork/exec ~/.aws-sso/open.sh: no such file or directory"

[synfinatic]

Yes. I'm saying you can't use $browser. aws-sso doesn't honor that. You need to put the path to the browser in the file.

[Moulick]

Apologies if I am mis-understanding but aws-sso-cli is not expanding the ~. Because if I put the config as below, This works

UrlExecCommand:
  - /home/codespace/.aws-sso/open.sh
  - "%s"

#! /bin/bash

$BROWSER $@

So the $BROWSER is getting expanded but just the file path in the UrlExecCommand itself is not getting expanded.

[synfinatic]

Ah, sorry, you are correct, the ~ is not expanded for UrlExecCommand.

That said, I'm a bit surprised $BROWSER is valid in the shell script... I'm not manually passing the existing environment variables to exec.Command.

So sounds like you're good?

[Moulick]

Yeah, that is a surprise. But no, this does not solve my problem unfortunately. In my org, I am managing a shared repo with the ~/.aws-sso/config.yaml file and as everyone clones that repo, the path for their home is different. That means hardcoding the path in the config would not work. So I need at-least ~ to be expanded or maybe $HOME or something to fix that. Passing the full env to UrlExecCommand probably can solve this?

[synfinatic]

Give that a try?

[Moulick]

So just tested main, ~ works but $HOME does not

@Moulick ➜ ~ $ /go/bin/aws-sso
Enter passphrase to unlock "/home/codespace/.aws-sso/secure": 

        Verify this code in your browser: redacted
FATAL   Unable to authenticate                        error="unable to exec `$HOME/.aws-sso/open.sh https://device.sso.eu-central-1.amazonaws.com/?user_code=redacted`: fork/exec $HOME/.aws-sso/open.sh: no such file or directory"
@Moulick ➜ ~ $ echo $HOME
/home/codespace
@Moulick ➜ ~ $ 

[synfinatic]

Sorry, yeah, I guess I wasn't clear.

The ~ will be expanded to the user home directory for a given executable. Not for arguments though.

The $HOME environment variable is now being explicitly passed in and accessible as an environment variable to the executable.

Basically, if you had a system shell script/binary and needed access to the user home directory, you should be able to do that now. I guess, that did work before??? Not sure why... no idea if it was portable or not. At least now it should work reliably now and in the future.

[Moulick]

Ah, makes sense. This solves the issue for now. Please make a release so I can get my teams to upgrade. Thank you for supporting this!!

[Moulick]

Putting a link to gist here as example for anyone that stumbles here https://gist.github.com/Moulick/34a333da526a1063465630ed91c6129c