-
-
Notifications
You must be signed in to change notification settings - Fork 995
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump AWS SDK to version v1.37.7 to support AWS SSO #1537
Bump AWS SDK to version v1.37.7 to support AWS SSO #1537
Conversation
Hi All,
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR! I'll kick off tests now to see if it works with no other code changes.
That said, how do we know this now works with SSO? Are there no other changes needed to support that?
You need to login first with https://aws.amazon.com/blogs/developer/aws-sso-support-in-the-aws-sdk-for-go/ I've been using this build all day with no problems. |
Also, there was an issue in the terraform repo where if you have a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did use the sso command to begin with. And also removed the credential_process. Still have the issue.
~ >>> aws sso login --profile MyProfile
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-west-2.amazonaws.com/
Then enter the code:
<CODE-HERE>
Opening in existing browser session.
Successully logged into Start URL: https://<url>.awsapps.com/start#/
~ >>> terragrunt apply --terragrunt-tfpath terraform0.12
ERRO[0000] Error finding AWS credentials (did you set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables?): SSOProviderInvalidToken: the SSO session has expired or is invalid
caused by: expected RFC3339 timestamp: parsing time "2021-02-11T13:53:59UTC" as "2006-01-02T15:04:05Z07:00": cannot parse "UTC" as "Z07:00"
ERRO[0000] Unable to determine underlying exit code, so Terragrunt will exit with error code 1
~>>> cat ~/.aws/config
[profile MyProfile]
sso_start_url = https://<url>.awsapps.com/start#/
sso_region = us-west-2
sso_account_id = <account>
sso_role_name = <Role-Name>
region = us-east-2
output = json
Things go all the way back to sdk. |
Hm, a few questions:
|
You only need to run
I don't believe any further changes are needed, but it's hard for me to test this change doesn't break current behaviour. |
Ohhh, interesting. So it must be getting some sort of temp creds from SSO that then allow it to assume any role you need?
Hm, yea, it's tough. The only item I'm left scratching my head about is why the blog post recommends adding that |
@z0mbix can you share how your
|
I only need to run |
I bumped the aws-sdk-go to v1.37.14 today to use sso credentials for a cli I'm making and I can only confirm that yes
and here's the readme from the pr https://github.com/aws/aws-sdk-go/pull/3755/files
|
@z0mbix per @karlpokus' comment above, would you be up for updating the PR to set |
When this is merged, does it mean that terragrunt will support SSO credentials from ~/.aws/config without any other modifications etc.. ? Main reason I am interested is cause I want to use my SSO credentials and to jump between accounts/profiles during the same terragrunt run. |
That's correct @UrosCvijan , no more tricks or workarounds or external tools, the native SSO credentials in the GO SDK would take care of everything. All you have to do is log in with the Is there a way we can help to wrap this up and get this PR merged? |
As temporary workaround, I was able to do the following: [profile my-profile]
sso_start_url = xxxxxxx
sso_region = us-west-2
sso_account_id = xxxxxxx
sso_role_name = Admin
region = us-west-2
output = json
[profile my-profile2]
region = us-west-2
output = json
credential_process = aws-sso-util credential-process --profile my-profile Then set your environment variable |
is this not already set here? https://github.com/gruntwork-io/terragrunt/blob/master/aws_helper/config.go#L54 |
🤦 Hahah, you're right! OK, merging this and releasing. Thank you @z0mbix! |
* Fix dead link in multiple aws accounts docs (gruntwork-io#1563) * Fix dead link in multiple aws accounts docs The link to AWS docs is now 404. The corrected link seems to most closely resemble the intended target. Other options to consider: https://aws.amazon.com/organizations/getting-started/best-practices/ https://docs.aws.amazon.com/controltower/latest/userguide/aws-multi-account-landing-zone.html * Link to AWS best practices for multi account docs * Whitespace removal (gruntwork-io#1573) * Fix empty outputs (gruntwork-io#1568) If stack run finished without errors, `summarizePlanAllErrors()` receives empty buffer and outputs empty line. This change ensures that only non-empty outputs are getting logged. Related: gruntwork-io#1541 * doc: contributing: fix broken link to circleci (gruntwork-io#1580) * Bump AWS SDK to version v1.37.7 to support AWS SSO (gruntwork-io#1537) * Add TargetPrefix as config input to access bucket logging (gruntwork-io#1507) * adding target-prefix ro access bucket logging * Updating test & example ! Note that this needs the terratest PR (gruntwork-io/terratest#767) to be merged in to work & be tested. * Updating Terratest dependency * testing for target prefix * Updating docs * Renaming folder * Updating to Debugf * Adding default value * WIP - parsing for TFstatelogs * Updating logic & docs * Adding a new test for default TargetPrefix in remote backend config * Introduce validate-inputs, which can be used to check for variable alignment (gruntwork-io#1572) * Introduce terragrunt-input-info, which can be used to check for variable alignment * Apply suggestions from code review Co-authored-by: Zack Proser <[email protected]> * Tidy go modules * Renamed input-info to validate-inputs * Switch missing required vars to errors * Handle -var and -var-file args * Update cli/validate_inputs.go Co-authored-by: Yevgeniy Brikman <[email protected]> * Make sure to check for dynamically passed in CLI args * Fix build * Handle automatically loaded var files * Remove plan args check * Clarify difference between getTerraformInputNamesFromVarFiles and getTerraformInputNamesFromCLIArgs * Address PR nit to move example in docs Co-authored-by: Zack Proser <[email protected]> Co-authored-by: Yevgeniy Brikman <[email protected]> * Use go1.16 to build arm64 binaries (gruntwork-io#1585) * Bump creack/pty to 1.1.11 (gruntwork-io#1582) Co-authored-by: Andy Bohne <[email protected]> * Add ability to specify working directory of hooks (gruntwork-io#1588) * Add ability to specify working directory of hooks * Fix build * Support dynamodb_endpoint attribute of S3 backend (gruntwork-io#1586) * Clarify non-interactive will not include external dependencies (gruntwork-io#1593) * add getTerragruntSource helper function (gruntwork-io#1575) * add getTerragruntSource helper function * update docs * update docs and tests for get_terragrunt_source_cli_flag() function * add use cases for get_terragrunt_source_cli_flag * Recursively extract forcedgetters until there are none (gruntwork-io#1594) * Remove all usage of get-plugins=false which is removed in 0.15.0 (gruntwork-io#1618) * Fix validate-inputs to support null defaults (gruntwork-io#1613) * Clarify context of find_in_parent_folders (gruntwork-io#1623) Co-authored-by: Paul <[email protected]> Co-authored-by: Yoriyasu Yano <[email protected]> Co-authored-by: amnk <[email protected]> Co-authored-by: Marco Molteni <[email protected]> Co-authored-by: David Wooldridge <[email protected]> Co-authored-by: Ina Stoyanova <[email protected]> Co-authored-by: Zack Proser <[email protected]> Co-authored-by: Yevgeniy Brikman <[email protected]> Co-authored-by: Andy Bohne <[email protected]> Co-authored-by: Andy Bohne <[email protected]> Co-authored-by: Alexey Remizov <[email protected]> Co-authored-by: Syed Hussain <[email protected]> Co-authored-by: David Alger <[email protected]>
I've bumped the SDK version and ran
go mod tidy
. The only testing I've done is runmake build
and run a terragrunt plan/apply in a few modules, but seems to work as expected.It relates to #1129