Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using an IAM Role with CLI + SSO #5933

Closed
ydogus opened this issue Feb 10, 2021 · 9 comments
Closed

Using an IAM Role with CLI + SSO #5933

ydogus opened this issue Feb 10, 2021 · 9 comments
Assignees
@kdaily
Labels
feature-request A feature should be added or improved.

Comments

@ydogus
Copy link

ydogus commented Feb 10, 2021

It would be nice to have some named profiles with SSO which are configured to assume roles: Something similar to role_arn property we use in CLI config file. This way we can have our CLI to assume the roles automatically after using SSO credentials to sign in to AWS services.

I think it's a valid use case. We might still need to assume roles after signing over SSO.

I tried to use role_arn with SSO but it seems it is not working with SSO as it gives me an error of Partial credentials found in assume-role, missing: source_profile or credential_source.

Is this already supported? If yes, can you please direct me to the documentation?
@kdaily kdaily added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Feb 11, 2021
@kdaily kdaily self-assigned this Feb 11, 2021
@kdaily kdaily added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Feb 11, 2021
@kdaily
Copy link
Member

kdaily commented Feb 11, 2021

Hi @ydogus,

I think this should be documented here:

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html#sso-configure-profile

Under the section "Running a command with your AWS SSO enabled profile", I think this works through the scenario that you are describing.

You can create multiple AWS SSO enabled named profiles that each point to a different AWS account or role. You can also use the aws sso login command on more than one profile at a time. If any of them share the same AWS SSO user account, you must log in to that AWS SSO user account only once and then they all share a single set of AWS SSO cached credentials.

@kdaily kdaily added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Feb 11, 2021
@ydogus
Copy link
Author

ydogus commented Feb 11, 2021

Hello,

Actually this is not what really I was looking for. I'm aware of named SSO profiles. But what I'm looking for is an equivalent of role_arn parameter for SSO.

With role_arn, CLI simplifies our life by assuming a role. That way I could create profiles for roles that I use with CLI. I've never had to call aws sts assume-role to assume a role and configure my workplace with returned credentials to make my next API calls. A simple --profile foo is more than enough if my config file is well configured.

So I was looking for a similar feature in CLI to simplify to work with assumed roles. For now I can't ask my CLI to make requests by assuming a role if my credentials are provided by SSO. Of course as a workaround I can use aws sts assume-role but this is a little bit complex for an everyday tasks.

@ydogus ydogus closed this as completed Feb 11, 2021
@ydogus ydogus reopened this Feb 11, 2021
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Feb 11, 2021
@lorengordon
Copy link
Contributor

I'm kinda curious about this:

I tried to use role_arn with SSO but it seems it is not working with SSO as it gives me an error of Partial credentials found in assume-role, missing: source_profile or credential_source.

Does it work if you add source_profile pointing to the sso profile? E.g. something like this:

[profile assume]
role_arn = arn:aws:iam::xxxxxx:role/role-to-assume
source_profile = sso

[profile sso]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789011
sso_role_name = ssoRole
region = us-east-1

Then first login to the sso profile, but use the assume profile for other commands?

$ aws sso login --profile sso
$ aws sts get-caller-identity --profile assume

If that doesn't work, it seems to me like the SSO implementation would be incomplete, as far as support for the AWS Shared Config goes...?

@ydogus
Copy link
Author

ydogus commented Feb 15, 2021

Thank you @lorengordon for the example. source_profile did the job.

@ydogus ydogus closed this as completed Feb 15, 2021
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

@kdaily
Copy link
Member

kdaily commented Feb 15, 2021

Thanks @lorengordon, that's the suggestion! Glad you got it working, @ydogus.

@stobrien89 stobrien89 mentioned this issue Feb 26, 2021
Closed
2 tasks
@izimbra
Copy link

izimbra commented Nov 12, 2021

It would be great if this use case was documented on this page: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html#sso-using-profile

weaversam8 added a commit to weaversam8/aws-vault that referenced this issue Feb 28, 2024
@weaversam8
Add documentation on assuming a role with SSO
1ce6f7f 
This was non-obvious, until I found aws/aws-cli#5933.
@weaversam8 weaversam8 mentioned this issue Feb 28, 2024
Open
@chr1shung
Copy link

chr1shung commented Jul 28, 2024
edited
Loading

Does it work if you add source_profile pointing to the sso profile? E.g. something like this:

[profile assume]
role_arn = arn:aws:iam::xxxxxx:role/role-to-assume
source_profile = sso

[profile sso]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-east-1
sso_account_id = xxxx
sso_role_name = ssoRole
region = us-east-1

Then first login to the sso profile, but use the assume profile for other commands?

$ aws sso login --profile sso
$ aws sts get-caller-identity --profile assume

If that doesn't work, it seems to me like the SSO implementation would be incomplete, as far as support for the AWS Shared Config goes...?

I'm a new AWS user and trying to follow this practice but got Could not connect to the endpoint URL: "https://sts.<region>.amazonaws.com/" , any idea what did I possibly mis-configure ?
My SSO role is the AWS managed PowerUserAccess

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kdaily kdaily

Labels
feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kdaily @izimbra @ydogus @lorengordon @chr1shung