search

victorskl / yawsso

Yet Another AWS SSO - sync up AWS CLI v2 SSO login session to legacy CLI v1 credentials
MIT License
302 stars 26 forks source link

syncing for all named profiles fails when cache for first profile is not active on first time set up #66

Closed es50678 closed 1 year ago

es50678 commented 2 years ago

Hello,

Summary When I try to sync all named profiles with yawsso, it fails unless the first profile in config is cached.

yawsso version yawsso 0.7.2

aws-cli version aws-cli/2.7.11 Python/3.10.5 Darwin/21.5.0 source/arm64 prompt/off

system image

On first time use...

I have 4 sso profiles in my config:

[profile prodDeveloper]
...
[profile prodQABuilder]
...
[profile prodLeadDeveloper]
...
[profile prodAdmin]
...

I have prodAdmin cached, but nothing else and try to run yawsso

❯ yawsso
Current cached SSO login is expired since 2022-06-30T04:53:01-04:00. Try login again.

❯ export AWS_PROFILE=prodAdmin

❯ aws sso login
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
....
Successfully logged into Start URL: https://d-92677f5210.awsapps.com/start#/

❯ yawsso
Current cached SSO login is expired since 2022-06-30T04:53:01-04:00. Try login again.

I then login for prodDeveloper and everything works

❯ export AWS_PROFILE=prodDeveloper

❯ aws sso login
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
....
Successfully logged into Start URL: https://staxlabs.awsapps.com/start#/

❯ yawsso
SUCCESS

I'm not sure if this is also a problem after the first time use, but I wanted to document it while I could.

I'll also try to take a look into the code base, i want more experience with python and hopefully I can hack it out.

victorskl commented 2 years ago

Hey thanks for reporting. I think I get a glimpse about procedural issue there. But. let me try to reproduce and confirm. Yah feel free to look around the code, there. 🙂

es50678 commented 2 years ago

looks like it's not a problem that only happens on start up, just tried it again this morning:

❯ yawsso
Current cached SSO login is expired since 2022-07-02T01:53:56-04:00. Try login again.

❯ export AWS_PROFILE=devAdmin

❯ yawsso
Current cached SSO login is expired since 2022-07-02T01:53:56-04:00. Try login again.

❯ aws sso login
Attempting to automatically open the SSO authorization page in your default browser.
...
Successfully logged into Start URL: https://staxlabs.awsapps.com/start#/

❯ yawsso
Current cached SSO login is expired since 2022-07-02T01:53:16-04:00. Try login again.

❯ export AWS_PROFILE=prodAdmin

❯ yawsso
Current cached SSO login is expired since 2022-07-02T01:53:16-04:00. Try login again.

❯ aws sso login
Attempting to automatically open the SSO authorization page in your default browser.
...
Successfully logged into Start URL: https://d-92677f5210.awsapps.com/start#/

❯ yawsso
> SUCCESS
❯

it also looks to be more complicated that i originally thought... as the order of the profiles in my config file changed. Before, prodDeveloper was first, but this morning it was prodAdmin.

It worked after I did aws sso login with prodAdmin when last time it worked when I did prodDeveloper, i didn't get to try prodDeveloper this time.

Maybe i was wayyy off in my original report on what the possible problem is?

Will look into it more if i have time today.

es50678 commented 2 years ago

Some more info from todays login, I think I'm getting close to the problem now...

so... I was trying to find out where yawsso gets the timestamp from Current cached SSO login is expired since 2022-07-05T21:50:44-04:00.. Try login again.

found it in ~/.aws/sso/cache/FILE-1

{
  "startUrl": "START-URL-1",
  "expiresAt": "2022-07-05T21:50:44Z"
}

Then I did a login and noticed a tid-bit:

❯ yawsso login --profile prodDeveloper
Successfully logged into Start URL: REDACTED
Current cached SSO login is expired since 2022-07-05T21:51:53-04:00. Try login again.

kept digging and found:

  1. FILE-1 had been updated to show 2022-07-07T03:47:11Z

the timestamp from the last line of the output of my login attempt is the same as the timestamp in ~/.aws/sso/cache/FILE-2

{
  "startUrl": "START-URL-2",
  "expiresAt": "2022-07-05T21:51:53Z"
}

which is VERY interesting because I also noticed... ... in my credentials file, it only updated the credentials for 3/5 of my profiles

[prodAdmin]
aws_session_expiration = 2022-07-05T23:35:10+0000 <-- NOT UPDATED

[devAdmin]
aws_session_expiration = 2022-07-05T23:35:11+0000 <-- NOT UPDATED

[prodDeveloper]
aws_session_expiration = 2022-07-07T07:47:11+0000

[prodQABuilder]
aws_session_expiration = 2022-07-07T07:47:12+0000

[prodLeadDeveloper]
aws_session_expiration = 2022-07-07T07:47:13+0000

infact, the only difference between the start-urls for the two sessions is that one uses the account id and the other the account alias.

The Epic Conclusion

I deleted the cache folder, ran aws sso login, then yawsso and everything went smoothly.

So... I think that's it. Feel free to close this if you want, only thing I can think to do is maybe add some messaging around it?

victorskl commented 2 years ago

Thanks for forensic.

Right! 2 SSO cache files from 2 SSO sessions. I will see if I can reproduce that -- might be handy to see your ~/.aws/config profiles counterpart on SSO setup there. If you can share, pls kindly REDACTED/mock them. I only need to know general config structure in there.

If you think yawsso is still producing the correct behaviour, we can close the issue, yes. We could drop a note in Wiki tab -- so that it helps next user who might encounter.