AWS SSO Named Profiles Support

[vikyol]

AWS CLI v2 supports AWS SSO named profiles.

However, CDK CLI cannot resolve SSO named profiles yet.

$ cdk deploy --profile sso-named-profile

Unable to resolve AWS account to use. It must be either configured when you define your CDK or through the environment

Without this feature, users have to login to SSO user portal and fetch credentials for command line and CLI access, which needs to be repeated every time the credentials expire.

Even though CLI v2 is still in preview, it would be good to have this feature implemented for early adopters.

Use Case

• Simplify deployments to multiple-accounts for AWS SSO users.

Proposed Solution

• Read sso_start_url, sso_role_name and sso_account_id from ~/.aws/config file.
• Fetch the accessToken in ~/.aws/sso/cache/ matching sso_start_url.
• Fetch temporary credentials from STS using SSO.get-role-credentials() with accessToken, sso_account_id and sso_role_name parameters.

---

This is a 🚀 Feature Request

[shivlaks]

@excavador @Douglas-Scott can you please represent your +1 as a reaction to the feature request to capture your interest in this being implemented. It helps make it searchable and doesn't clutter up the thread.

[ReidWeb]

Given the CLI is now GA, and it seems a number of other users are facing this issue would it be possible to at least add a note to the docs indicating the lack of support at this time?

[ibex-dev]

As a temporary workaround, you can use the aws sso login feature to authenticate your CLI and export the retrieved access key ID, secret access key and session token as environment variables (json saved by default under ~/.aws/cli/cache/).
I wrote a quick bash wrapper for aws sso login that takes care of that. I invoke it once a day. If you don't feed a profile to CDK, it will look next for your env variables, so that does the trick.

[brainstorm]

@ibex-dev Would you mind sharing that bash wrapper here? :)

[nspottsie]

The mention from @victorskl above suggests using yawsso as a work around to sync the SSO credentials from ~/.aws/cli/cache to ~/.aws/credentials and it worked for me.

[beuleal]

I know its a bit old, but I'd like to contribute too.

I was facing the following error:
Unable to resolve AWS account to use. It must be either configured when you define your CDK or through the environment

I did a wrap for deploy into multiples account:

...
  console.log(` Setting Profile: ${account.name}`);
  let access_key = execSyncCmd(
    `aws configure get aws_access_key_id --profile ${account.name}`
  );

  let aws_secret_access_key = execSyncCmd(
    `aws configure get aws_secret_access_key --profile ${account.name}`
  );

  console.log(access_key);
  console.log(aws_secret_access_key);

  execSyncCmd(
    `aws configure set aws_access_key_id ${access_key} --profile default`
  );

  execSyncCmd(
    `aws configure set aws_secret_access_key ${aws_secret_access_key} --profile default`
  );

  execSyncCmd(`aws configure set region us-east-1 --profile default`);

  console.log(`[OK] Profile Set!`);

  execSyncCmd(`cdk deploy <stack-name> `);
...

[mateja82]

Not sure if this helps anyone, but in my organization we use AWS SSO, with over 90 AWS Accounts, with MFA, so it was impossible to manage CDK without AWS SSO support. I found a way to solve it, so till its officially relesed, you can use this, it works quite all right: MatsCloud blog - CDK with AWS SSO multi account multi profile

[gnomeria]

Actually when this issue => #3008 been resolved based on https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html, I think it could work. At least we have a more proper workaround. Been using https://github.com/benkehoe/aws-sso-credential-process to get the credential_process for deploying through terraform

[shortjared]

Howdy all, we solved this with exactly the following for AWS SSO... apologies for the copypaste from our internal docs but it is the quickest way to share.

Setup

The primary way you’ll likely interact with your CDK apps and AWS is through the CLI.

We’ll need a few things installed in order for a smooth process, once you do this once, you are set up for life (or until you need a new machine, whichever comes first.)

• install / update brew

Run these commands

brew install pipx
pipx ensurepath
pipx install aws-sso-credential-process
pipx install aws-export-credentials

Install AWS CLI v2… the v2 part is very important.

Add the following to you .zshrc or .bashrc or whatever.

export AWS_CONFIGURE_SSO_DEFAULT_SSO_START_URL=https://stedi-sso.awsapps.com/start
export AWS_CONFIGURE_SSO_DEFAULT_SSO_REGION=us-east-1
sso(){
  unset AWS_PROFILE
  export AWS_PROFILE=$1
  aws sts get-caller-identity &> /dev/null || aws sso login || (unset AWS_PROFILE && aws-configure-sso-profile --profile $1)
  eval $(aws-export-credentials --env-export)
}

Usage

In a new shell (after you’ve added the sso function), do a simple sso {yourteam}-dev. On the first time you do this for any new “profile” name, it will say it isn’t found and step you through an SSO process that will interact with your default browser.

The command will walk you through a series of questions that will allow the AWS profile to be configured locally.

The first thing you will see is something like “There are [some number] AWS accounts available to you. At some point, your browser will load a series of signin screens. Enter your password, etc. if you are not already authenticated. Once you are done, return to the CLI, where you will click the account that you would like to use. If there are multiple roles available to you, you will be asked to select a role.

Once you configure this for a profile, you never have to walk through the config process again. You have to log in once every X hours for a given role (depending on your org settigns), otherwise, the sso {yourteam}-dev will just drop right into those creds as well as source them into your environment.

Test that you are authenticated properly by issuing the following AWS command: aws s3 ls

Behind the scenes, this process is adding an entry to ~/.aws/config. You can always drop into that file with your favorite text editor and modify the configuration. If you later discover that you chose the wrong account or role you can remove the profile from this configuration file and repeat the above process again.

[pahud]

@shortjared Thanks for the sharing.

Instead of exposing the credentials in env var, I have another preferable approach to generate or refresh the ~/.aws/credentials instead.

https://github.com/pahud/gitpod-workspace/blob/main/utils/refresh_credentials.sh

And I use this approach to create my gitpod workspaces for aws cdk development with aws sso support.

[redbaron]

It is possible to have "native" integration with the help of aws2-wrap

Here is my ~/.aws/config :

[profile mycorp-sso]
sso_start_url = https://d-*******.awsapps.com/start
sso_region = eu-west-1
sso_account_id = 99999999999
sso_role_name = AWSAdministratorAccess
region = eu-west-2

[profile mycorp]
credential_process = aws2-wrap --process --profile mycorp-sso
region = eu-west-1

You then use mycorp profile with CDK and visual studio code.

[ryan-mars]

I started using aws-sso-util which supersedes aws-sso-credential-process as recommended by @shortjared.

It is made by @benkehoe.
https://github.com/benkehoe/aws-sso-util

[urz9999]

In case like this one or other similar cases where AWS SSO result in incompatibilities with your library and you don't want to play with workarounds or complicated fixes, maybe you can give a try to our open-source project: https://github.com/Noovolari/leapp. It deals with AWS SSO authentication and accounts/roles retrieval then it creates short-lived temporary credentials in .aws/credentials to maximize compatibility with third party tools / sdks.

[Stf-F]

Hi, is there any plan to have a native support of AWS SSO with the CDK?
I used @redbaron recommendation and it worked like a charm but still feels like a hacky workaround.
Cheers

[hoegertn]

AFAIK the JS SDK does not support SSO so CDK cannot do it either. Credentials process is the only solution today to solve this.

[benkehoe]

The JS SDK v3 implemented support for AWS SSO but as far as I can tell it has not shipped yet

[dbartholomae]

For me, this got solved via AWS vault.

[chrichts]

@ericzbeard - is this something that's being considered at all? Are there blockers for implementing this that we just aren't aware of? This issue has been open for 2 years, so I just want to know if we should be looking for a more permanent workaround or if we can expect this to be implemented in the foreseeable future

[atkinson]

CDK isn't usable without SSO support.

At present, it's completely incompatible with orgs that use AWS Control Tower.

[mbergkvist]

CDK isn't usable without SSO support.

Sync your profiles with e.g. yawsso. Slightly inconvenient, but usable.

[paulrob-100]

@rix0rrr please could you help us understand where this is on the various roadmaps?
I can see it in the CLI project in the "Needs RFC" column

I was hoping the CDK v2 would take the opportunity to upgrade to the AWS CDK for Javascript v3 which includes SSO support (see #5455 (comment)), however it's still using aws-sdk v2.
I'm assuming that's why the effort is marked as large here.

Could you indicate which of the RFCs, if any, plan to upgrade the SDK to v3?
Please could you help with the visibility of this feature request on the main roadmap? 🙏

[rob3c]

We've switched away from the IaC-unfriendly, rather opaque and inflexible Control Tower headache to the much nicer org-formation project for easier AWS Organizations multi-account management using IaC. It works well with SSO, and although it's originally (and still primarily) a direct CloudFormation tool, it has CDK support.

We deploy the CDK bootstrap template across org accounts using its declarative OrganizationBinding syntax, and there's an update-cdk task that deploys according to declared org account/OU patterns, applies temporary SSO credentials as the standard AWS environment variables, and lets you set parameters from across the org as CDK context variables. It also has the option of using custom deploy and remove commands if the defaults aren't sufficient.

If you're missing CDK SSO support and also looking for a nice, compliance-friendly way to manage your organization using Infrastructure-as-Code, it may be worth taking a look. It doesn't require a greenfield project, so you can also just point it at an existing org and give it a try.

[dannysteenman]

I wrote a small shell function that exports the temp credentials using aws-vault (brew install aws-vault) so you can run cdk commands using your sso profile. Just add the following function in your .zshrc:

# AWS Switch Profile
function awsprofile {
  if [[ -z "$1" ]]; then
    unset AWS_SDK_LOAD_CONFIG
    unset AWS_DEFAULT_PROFILE AWS_PROFILE AWS_EB_PROFILE
    unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SESSION_EXPIRATION
    echo AWS Profile cleared.
    return
  fi

  export AWS_SDK_LOAD_CONFIG=true
  export AWS_DEFAULT_PROFILE=$1
  export AWS_PROFILE=$1
  export AWS_EB_PROFILE=$1

  creds=$(mktemp -d)/creds.json
  aws-vault exec ${AWS_PROFILE} -- env | grep AWS >$creds
  export AWS_ACCESS_KEY_ID=$(cat ${creds} | grep "AWS_ACCESS_KEY_ID" | cut -d '=' -f 2)
  export AWS_SECRET_ACCESS_KEY=$(cat ${creds} | grep "AWS_SECRET_ACCESS_KEY" | cut -d '=' -f 2)
  export AWS_SESSION_TOKEN=$(cat ${creds} | grep "AWS_SESSION_TOKEN" | cut -d '=' -f 2)
  export AWS_SESSION_EXPIRATION=$(cat ${creds} | grep "AWS_SESSION_EXPIRATION" | cut -d '=' -f 2)
  echo "Switched to AWS Profile: ${AWS_PROFILE}"
}

Then just run the following in your shell:

awsprofile <sso_profile_name>

To stop your session run awsprofile.

If you're using a prompt like starship then it will also show the remaining time of the active credentials:

$ awsprofile test-account
Opening the SSO authorization page in your default browser (use Ctrl-C to abort)
Switched to AWS Profile: test-account
~ on  test-account (eu-west-1) [59m34s] took 14s

[RichiCoder1]

I wrote a small shell function that exports the temp credentials using aws-vault (brew install aws-vault) so you can run cdk commands using your sso profile. Just add the following function in your .zshrc:

It's worth noting one of the reasons AWS Vault doesn't enable something like this by default is to not expose credentials unnecessarily. As mentioned above, the best (current) solution is SSO profiles combined with aws-vault's credential_process support which accomplishes effectively the same thing 😄.

[profile administrator-sso]
sso_start_url=https://aws-sso-portal.awsapps.com/start
sso_region=eu-west-1
sso_account_id=123456789012
sso_role_name=Administrator

[profile administrator]
credential_process = aws-vault exec administrator-sso --json

export AWS_PROFILE=administrator # or $env:AWS_PROFILE="administrator" for pwsh
cdk deploy

[automartin5000]

I wrote a small shell function that exports the temp credentials using aws-vault (brew install aws-vault) so you can run cdk commands using your sso profile. Just add the following function in your .zshrc:

It's worth noting one of the reasons AWS Vault doesn't enable something like this by default is to not expose credentials unnecessarily. As mentioned above, the best (current) solution is SSO profiles combined with aws-vault's credential_process support which accomplishes effectively the same thing 😄.

[profile administrator-sso]
sso_start_url=https://aws-sso-portal.awsapps.com/start
sso_region=eu-west-1
sso_account_id=123456789012
sso_role_name=Administrator

[profile administrator]
credential_process = aws-vault exec administrator-sso --json

export AWS_PROFILE=administrator # or $env:AWS_PROFILE="administrator" for pwsh
cdk deploy

Just tried this, and while I was able to get aws-vault exec working with AWS SSO, I couldn't get credential_process working. Kept getting The provided token has expired. Any ideas?

[RichiCoder1]

Just tried this, and while I was able to get aws-vault exec working with AWS SSO, I couldn't get credential_process working. Kept getting The provided token has expired. Any ideas?

I don't know what does or doesn't cause aws-vault to automatically kick off the interactive login, but the fix for this is to aws sso login --profile <name-of-sso-profile> so --profile administrator-sso in this example. It's because the AWS CLI SSO Profile in question doesn't have cached credentials yet for that SSO account yet. If you have multiple SSO profiles sharing the same SSO account, this will login all of them in too FYI.

It's worth noting these cached credentials will also last for an hour by default, which you can tweak if you need via the duration_seconds configuration option: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#:~:text=credential_source%20%3D%20Ec2InstanceMetadata-,duration_seconds,-Specifies%20the%20maximum (you'd be setting this on the sso profile)

[spence95]

I was evaluating using CDK but due to this issue, I'm dumping it and just going back to plain CloudFormation.
This needs to be implemented natively with CDK.

[PatrykMilewski]

I was evaluating using CDK but due to this issue, I'm dumping it and just going back to plain CloudFormation. This needs to be implemented natively with CDK.

Lol man, don't do it to yourself, tools like Serverless Framework are way better for a lot of use cases comparing to CDK and in 2022 there is no valid argument to use plain CloudFormation

[automartin5000]

Yeah seems kinda extreme to completely dump a tool just avoid an extra npm install

[andreacavagna01]

I was evaluating using CDK but due to this issue, I'm dumping it and just going back to plain CloudFormation.

This needs to be implemented natively with CDK.

You can still use it by managing ur profiles and everything with Leapp https://github.com/Noovolari/leapp

[spence95]

in 2022 there is no valid argument to use plain CloudFormation

There's at least one, it integrates with SSO and lets you use --profile out of the box
¯\_(ツ)_/¯

[alistairstead]

I switched to using aws-vault and this limitation is resolved

[ReidWeb]

Can I suggest folks start a discussion if they're going to start debating the validity of approaches and alternatives, you're sending emails to at least 42 people every time you comment on this, and I really don't care for receiving emails for them

[polothy]

aws-sdk-js just released support for SSO: https://github.com/aws/aws-sdk-js/blob/master/CHANGELOG.md#210930

Hopefully that means CDK just needs to upgrade to this version for SSO support vs upgrading to v3.

[jessedoyle]

Hey guys! We recently moved to AWS SSO and are now encountering this issue.

The workarounds suggested are fine, but missing native support in CDK for SSO profiles is a huge oversight in my opinion.

Now that V2 of the AWS JS SDK supports SSO, hopefully this feature can get implemented soon!

[ann8ty]

To overcome the issue, I have a cdk-login-env.sh script for every environment that looks kind of like this...the key for this problem is use of yawsso to copy the creds over.

`COLOR='\033[1;32m'
NC='\033[0m'

CDK_PROFILE_NAME='userconfigured'

echo "${COLOR}SSO Login for ${CDK_PROFILE_NAME} ${NC}"
aws sso login --profile $CDK_PROFILE_NAME

echo "${COLOR}Copy to v1 credentials with yawsso${NC}"
yawsso -p $CDK_PROFILE_NAME

echo "${COLOR}CDK Bootstrap confirmation${NC}"
cdk bootstrap --profile $CDK_PROFILE_NAME

echo "${COLOR}CDK Diff - Testing credential and stacks${NC}"
cdk diff --all --profile $CDK_PROFILE_NAME`

when working with multiple environments, instead of diff --all its stack name prefixes for that account

cdk diff "prefix-environment-*" --profile $CDK_PROFILE_NAME

[ChristopheBougere]

Hey guys! We recently moved to AWS SSO and are now encountering this issue.

The workarounds suggested are fine, but missing native support in CDK for SSO profiles is a huge oversight in my opinion.

Now that V2 of the AWS JS SDK supports SSO, hopefully this feature can get implemented soon!

It looks like SSO support has been merged 2 days ago in PR #19454

I'd say we can expect it to be available for the next release 🤞

[jessecollier]

This was just released in 2.18.0 and 1.150.0. Confirmed it's working for me now!

[peterwoodworth]

Thanks @jessecollier, you're right! Here's the PR #19454

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[LarsFronius]

@shortjared Thanks for the sharing.

Instead of exposing the credentials in env var, I have another preferable approach to generate or refresh the ~/.aws/credentials instead.

https://github.com/pahud/gitpod-workspace/blob/main/utils/refresh_credentials.sh

FYI: Any of the workarounds that continue to use the implicit trust behaviour of SSO created roles don't work anymore with new roles and will stop to work by 15th of February 2023 due to https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/