Bump AWS SDK to version v1.37.7 to support AWS SSO #1537
Conversation
|
Hi All, |
|
You need to login first with https://aws.amazon.com/blogs/developer/aws-sso-support-in-the-aws-sdk-for-go/ I've been using this build all day with no problems. |
|
Also, there was an issue in the terraform repo where if you have a |
There was a problem hiding this comment.
I did use the sso command to begin with. And also removed the credential_process. Still have the issue.
~ >>> aws sso login --profile MyProfile
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-west-2.amazonaws.com/
Then enter the code:
<CODE-HERE>
Opening in existing browser session.
Successully logged into Start URL: https://<url>.awsapps.com/start#/
~ >>> terragrunt apply --terragrunt-tfpath terraform0.12
ERRO[0000] Error finding AWS credentials (did you set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables?): SSOProviderInvalidToken: the SSO session has expired or is invalid
caused by: expected RFC3339 timestamp: parsing time "2021-02-11T13:53:59UTC" as "2006-01-02T15:04:05Z07:00": cannot parse "UTC" as "Z07:00"
ERRO[0000] Unable to determine underlying exit code, so Terragrunt will exit with error code 1
~>>> cat ~/.aws/config
[profile MyProfile]
sso_start_url = https://<url>.awsapps.com/start#/
sso_region = us-west-2
sso_account_id = <account>
sso_role_name = <Role-Name>
region = us-east-2
output = json
Things go all the way back to sdk. |
Hm, a few questions:
|
You only need to run I don't believe any further changes are needed, but it's hard for me to test this change doesn't break current behaviour. |
Ohhh, interesting. So it must be getting some sort of temp creds from SSO that then allow it to assume any role you need?
Hm, yea, it's tough. The only item I'm left scratching my head about is why the blog post recommends adding that |
|
@z0mbix can you share how your |
I only need to run |
I bumped the aws-sdk-go to v1.37.14 today to use sso credentials for a cli I'm making and I can only confirm that yes and here's the readme from the pr https://github.com/aws/aws-sdk-go/pull/3755/files
|
|
@z0mbix per @karlpokus' comment above, would you be up for updating the PR to set |
|
When this is merged, does it mean that terragrunt will support SSO credentials from ~/.aws/config without any other modifications etc.. ? Main reason I am interested is cause I want to use my SSO credentials and to jump between accounts/profiles during the same terragrunt run. |
|
That's correct @UrosCvijan , no more tricks or workarounds or external tools, the native SSO credentials in the GO SDK would take care of everything. All you have to do is log in with the Is there a way we can help to wrap this up and get this PR merged? |
|
As temporary workaround, I was able to do the following: [profile my-profile]
sso_start_url = xxxxxxx
sso_region = us-west-2
sso_account_id = xxxxxxx
sso_role_name = Admin
region = us-west-2
output = json
[profile my-profile2]
region = us-west-2
output = json
credential_process = aws-sso-util credential-process --profile my-profileThen set your environment variable |
is this not already set here? https://github.com/gruntwork-io/terragrunt/blob/master/aws_helper/config.go#L54 |
🤦 Hahah, you're right! OK, merging this and releasing. Thank you @z0mbix! |
* Fix dead link in multiple aws accounts docs (gruntwork-io#1563) * Fix dead link in multiple aws accounts docs The link to AWS docs is now 404. The corrected link seems to most closely resemble the intended target. Other options to consider: https://aws.amazon.com/organizations/getting-started/best-practices/ https://docs.aws.amazon.com/controltower/latest/userguide/aws-multi-account-landing-zone.html * Link to AWS best practices for multi account docs * Whitespace removal (gruntwork-io#1573) * Fix empty outputs (gruntwork-io#1568) If stack run finished without errors, `summarizePlanAllErrors()` receives empty buffer and outputs empty line. This change ensures that only non-empty outputs are getting logged. Related: gruntwork-io#1541 * doc: contributing: fix broken link to circleci (gruntwork-io#1580) * Bump AWS SDK to version v1.37.7 to support AWS SSO (gruntwork-io#1537) * Add TargetPrefix as config input to access bucket logging (gruntwork-io#1507) * adding target-prefix ro access bucket logging * Updating test & example ! Note that this needs the terratest PR (gruntwork-io/terratest#767) to be merged in to work & be tested. * Updating Terratest dependency * testing for target prefix * Updating docs * Renaming folder * Updating to Debugf * Adding default value * WIP - parsing for TFstatelogs * Updating logic & docs * Adding a new test for default TargetPrefix in remote backend config * Introduce validate-inputs, which can be used to check for variable alignment (gruntwork-io#1572) * Introduce terragrunt-input-info, which can be used to check for variable alignment * Apply suggestions from code review Co-authored-by: Zack Proser <[email protected]> * Tidy go modules * Renamed input-info to validate-inputs * Switch missing required vars to errors * Handle -var and -var-file args * Update cli/validate_inputs.go Co-authored-by: Yevgeniy Brikman <[email protected]> * Make sure to check for dynamically passed in CLI args * Fix build * Handle automatically loaded var files * Remove plan args check * Clarify difference between getTerraformInputNamesFromVarFiles and getTerraformInputNamesFromCLIArgs * Address PR nit to move example in docs Co-authored-by: Zack Proser <[email protected]> Co-authored-by: Yevgeniy Brikman <[email protected]> * Use go1.16 to build arm64 binaries (gruntwork-io#1585) * Bump creack/pty to 1.1.11 (gruntwork-io#1582) Co-authored-by: Andy Bohne <[email protected]> * Add ability to specify working directory of hooks (gruntwork-io#1588) * Add ability to specify working directory of hooks * Fix build * Support dynamodb_endpoint attribute of S3 backend (gruntwork-io#1586) * Clarify non-interactive will not include external dependencies (gruntwork-io#1593) * add getTerragruntSource helper function (gruntwork-io#1575) * add getTerragruntSource helper function * update docs * update docs and tests for get_terragrunt_source_cli_flag() function * add use cases for get_terragrunt_source_cli_flag * Recursively extract forcedgetters until there are none (gruntwork-io#1594) * Remove all usage of get-plugins=false which is removed in 0.15.0 (gruntwork-io#1618) * Fix validate-inputs to support null defaults (gruntwork-io#1613) * Clarify context of find_in_parent_folders (gruntwork-io#1623) Co-authored-by: Paul <[email protected]> Co-authored-by: Yoriyasu Yano <[email protected]> Co-authored-by: amnk <[email protected]> Co-authored-by: Marco Molteni <[email protected]> Co-authored-by: David Wooldridge <[email protected]> Co-authored-by: Ina Stoyanova <[email protected]> Co-authored-by: Zack Proser <[email protected]> Co-authored-by: Yevgeniy Brikman <[email protected]> Co-authored-by: Andy Bohne <[email protected]> Co-authored-by: Andy Bohne <[email protected]> Co-authored-by: Alexey Remizov <[email protected]> Co-authored-by: Syed Hussain <[email protected]> Co-authored-by: David Alger <[email protected]>
I've bumped the SDK version and ran
go mod tidy. The only testing I've done is runmake buildand run a terragrunt plan/apply in a few modules, but seems to work as expected.It relates to #1129