Getting The requested role with name AdministratorAccess does not exist

[dodtsair]

yawsso is failing saying that AdministratorAccess does not exists... which it doesn't. But SSO has created the following role:

AWSReservedSSO_AdministratorAccess_17b6698160a088de

This used to work for me.

Steps I am taking:

$ aws configure sso
SSO start URL [None]: https://#@#@.awsapps.com/start#/                                                                                                                                                  
SSO Region [None]: us-west-2                                                                                                                                                                                
There are 8 AWS accounts available to you.
Using the account ID #@#@#
The only role available to you is: AdministratorAccess
Using the role name "AdministratorAccess"
CLI default client Region [us-west-2]:                                                                                                                                                                      
CLI default output format [None]:                                                                                                                                                                           
CLI profile name [AdministratorAccess-#@#@#@]: prod-ic                                                                                                                                                

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile prod-ic
$ aws sso login --profile=prod-ic
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-west-2.amazonaws.com/

Then enter the code:

#@#@#@#@
Successully logged into Start URL: https://#@#@#@.awsapps.com/start#/
$ yawsso
Error executing command: `aws sts get-caller-identity`. Exception: An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: The requested role with name AdministratorAccess does not exist

Expected yawsso should return without error

[victorskl]

Thanks for reporting. Can you please try with --debug or --trace to see any useful output there? It will be good, if you can share your profiles ~/.aws/config (pls mask it), something like this https://github.com/victorskl/yawsso/issues/9. Then, we can pin point the cause... e.g.

[profile dev]
sso_start_url = https://<>.awsapps.com/start
sso_region = us-west-2
sso_account_id = 1234567890
sso_role_name = AdministratorAccess
region = us-west-2
output = json

...
... 

[dodtsair]

I believe this is caused by a stale aws configure sso.

If I use aws configure sso for something like:

[profile dev]
sso_start_url = https://<>.awsapps.com/start
sso_region = us-west-2
sso_account_id = #@#@#@#@
sso_role_name = AdministratorAccess
region = us-west-2
output = json

Then I go back into SSO UI and I reconfigure things such the role is now admin-access. Then the next yawsso will fail.

The logs at trace identify the old profile:

2020-08-14 22:19:49,542 yawsso.cli   TRACE    Syncing profile... staging-sw: {'sso_start_url': 'https://#@#@#@.awsapps.com/start#/', 'sso_region': 'us-west-2', 'sso_account_id': '#@#@#@', 'sso_role_name': 'AdministratorAccess', 'region': 'us-west-2'}

Naturally I can fix this with aws configure sso and redoing the staging-sw profile

$ aws configure sso
SSO start URL [None]: https://#@#@#@awsapps.com/start#/                                                                                                                                              
SSO Region [None]: us-west-2                                                                                                                                                                                
There are 8 AWS accounts available to you.
Using the account ID #@#@#@
There are 2 roles available to you.
Using the role name "admin-with-billing"
CLI default client Region [us-west-2]:                                                                                                                                                                      
CLI default output format [None]:                                                                                                                                                                           
CLI profile name [admin-with-billing-#@#@#]: staging-sw

Now running yawsso with --trace moves on to the next profile in a bad state

2020-08-14 22:24:13,734 yawsso.cli   TRACE    Syncing profile... prod-sw: {'sso_start_url': 'https://#@#@#@.awsapps.com/start#/', 'sso_region': 'us-west-2', 'sso_account_id': '#@#@#@', 'sso_role_name': 'AdministratorAccess', 'region': 'us-west-2'}

Now I have a long list so if I need to get past this I can just select the profile I am interested in and skip the profiles that are in error.

yawsso --profiles 'dev-ic'

[victorskl]

Right, got your point! I can reproduce your use case. So, it is basically a stale role (or stale Permission Sets more precisely) i.e. role name has either changed or, no longer exist in your Org account AWS SSO Permission Sets. Then yawsso call to aws sts get-caller-identity fail. But expect yawsso should continue. Okay, I reckon, I can try change its behaviour to warn instead of halt, will do!

[victorskl]

Fixed since pip install -U yawsso==0.6.0rc3

[victorskl]

Now with pip install -U yawsso==0.6.0. Closing.