Closed thekid closed 2 months ago
Found this:
For AWS cli > 2.13.5 which uses sso-session sections in configuration file, you need to change the SHA1 source to sso_session value in your profile
local sso_session="$(aws configure get sso_session --profile "${profile}")" ... local cache_file="${HOME}/.aws/sso/cache/$(echo -n "$sso_session" | sha1sum | awk '{print $1}').json"
See https://github.com/aws/aws-cli/issues/5261#issuecomment-1739553837 /cc @lisamariekrause
Running aws configure sso
yielded this config file with the old version:
[default]
region = eu-central-1
[profile lernwerk]
sso_start_url = https://enbw.awsapps.com/start/
sso_region = eu-central-1
sso_account_id = 1234567890123
sso_role_name = EnBWContributorSet
region = eu-central-1
If this file is retained as-is, the login still creates the correct file 2027fec77997822cbd244958e71e4736c844bed9.json.
However, when you empty the ~/.aws/config
file and re-run the above command with the new version, the following file is created:
[default]
region = eu-central-1
[profile lernwerk]
sso_session = lerngpt
sso_account_id = 1234567890123
sso_role_name = EnBWContributorSet
region = eu-central-1
[sso-session lerngpt]
sso_start_url = https://enbw.awsapps.com/start/
sso_region = eu-central-1
sso_registration_scopes = sso:account:access
...and the cache directory looks like this:
$ ls -al ~/.aws/sso/cache/
total 16
drwxr-xr-x 2 thekid thekid 4096 Aug 6 20:40 .
drwxr-xr-x 3 thekid thekid 4096 Jun 21 09:59 ..
-rw------- 1 thekid thekid 3157 Aug 6 20:40 4aa8768c1a0ab539806ba9c9e079bbef8c3e3bfd.json
-rw------- 1 thekid thekid 2565 Aug 6 20:40 f402abdfd11677e50e5476550548a6e77d66f302.json
$ xp -w 'sha1("lerngpt")'
4aa8768c1a0ab539806ba9c9e079bbef8c3e3bfd
Released in https://github.com/xp-forge/aws/releases/tag/v2.4.0
The fix was to test for sso_session = ... in the relevant section and then to check for sha1(session)
instead of sha1(start-url)
, see above commit. This makes this library compatible with:
See https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html - the relevant section about the old versions is labelled Legacy IAM Identity Center configuration file. For the newer versions, the change is documented here:
the authentication token is cached to disk under the sso/cache directory with a filename based on the session name
According to various issues this was added in AWS CLI 2.9.0. Its ChangeLog file contains this:
enhancement:sso login: Add --sso-session argument to enable direct SSO login with a sso-session
See https://github.com/aws/aws-cli/blob/v2/CHANGELOG.rst#290
The SSO file should be in ~/.aws/sso/cache/{SHA}.json, where SHA is the SHA1 checksum of the SSO start URL:
In newer AWS CLI versions, the directory differs from this layout (if sso-session is used) and
CredentialProvider::default()
fails to locate the file, yielding: Exception util.NoSuchElementException (None of the credential providers returned credentials)