Closed dodtsair closed 3 years ago
Thanks for reporting. Can you please try with --debug
or --trace
to see any useful output there? It will be good, if you can share your profiles ~/.aws/config
(pls mask it), something like this https://github.com/victorskl/yawsso/issues/9. Then, we can pin point the cause... e.g.
[profile dev]
sso_start_url = https://<>.awsapps.com/start
sso_region = us-west-2
sso_account_id = 1234567890
sso_role_name = AdministratorAccess
region = us-west-2
output = json
...
...
I believe this is caused by a stale aws configure sso.
If I use aws configure sso for something like:
[profile dev]
sso_start_url = https://<>.awsapps.com/start
sso_region = us-west-2
sso_account_id = #@#@#@#@
sso_role_name = AdministratorAccess
region = us-west-2
output = json
Then I go back into SSO UI and I reconfigure things such the role is now admin-access
. Then the next yawsso will fail.
The logs at trace identify the old profile:
2020-08-14 22:19:49,542 yawsso.cli TRACE Syncing profile... staging-sw: {'sso_start_url': 'https://#@#@#@.awsapps.com/start#/', 'sso_region': 'us-west-2', 'sso_account_id': '#@#@#@', 'sso_role_name': 'AdministratorAccess', 'region': 'us-west-2'}
Naturally I can fix this with aws configure sso and redoing the staging-sw
profile
$ aws configure sso
SSO start URL [None]: https://#@#@#@awsapps.com/start#/
SSO Region [None]: us-west-2
There are 8 AWS accounts available to you.
Using the account ID #@#@#@
There are 2 roles available to you.
Using the role name "admin-with-billing"
CLI default client Region [us-west-2]:
CLI default output format [None]:
CLI profile name [admin-with-billing-#@#@#]: staging-sw
Now running yawsso with --trace moves on to the next profile in a bad state
2020-08-14 22:24:13,734 yawsso.cli TRACE Syncing profile... prod-sw: {'sso_start_url': 'https://#@#@#@.awsapps.com/start#/', 'sso_region': 'us-west-2', 'sso_account_id': '#@#@#@', 'sso_role_name': 'AdministratorAccess', 'region': 'us-west-2'}
Now I have a long list so if I need to get past this I can just select the profile I am interested in and skip the profiles that are in error.
yawsso --profiles 'dev-ic'
Right, got your point! I can reproduce your use case. So, it is basically a stale role (or stale Permission Sets more precisely) i.e. role name has either changed or, no longer exist in your Org account AWS SSO Permission Sets. Then yawsso
call to aws sts get-caller-identity
fail. But expect yawsso
should continue. Okay, I reckon, I can try change its behaviour to warn instead of halt, will do!
Fixed since pip install -U yawsso==0.6.0rc3
Now with pip install -U yawsso==0.6.0
. Closing.
yawsso is failing saying that AdministratorAccess does not exists... which it doesn't. But SSO has created the following role:
AWSReservedSSO_AdministratorAccess_17b6698160a088de
This used to work for me.
Steps I am taking:
Expected yawsso should return without error