Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-sso list and aws-sso config-profile hang forever #1083

Open
DaveQB opened this issue Oct 20, 2024 · 8 comments
Open

aws-sso list and aws-sso config-profile hang forever #1083

DaveQB opened this issue Oct 20, 2024 · 8 comments
Labels
bug Something isn't working
Milestone
2.0.0

Comments

@DaveQB
Copy link

DaveQB commented Oct 20, 2024
edited
Loading

Output of aws-sso version:

AWS SSO CLI Version 1.17.0 -- Copyright 2021-2024 Aaron Turner
Homebrew (1.17.0) built at 2024-07-10T21:26:18Z

Describe the bug:
aws-sso config-profiles
aws-sso list

Hang forever.

To Reproduce:

  1. aws-sso list -L trace or aws-sso config-profile -L trace

Note: You do not need to redact AWS AccountIDs from outputs or config.
Per Amazon,
"While account IDs, like any identifying information, should be
used and shared carefully, they are not considered secret,
sensitive, or confidential information."

Expected behavior:
Either list of accounts or editing of my ~/.aws/config

Screenshots:

Desktop (please complete the following information):

  • OS: Ubuntu
  • Version: 24.04

Additional context:

INFO    open /home/david/.config/aws-sso/cache.json: no such file or directory
WARNING The specified item could not be found in the keyring
DEBUG   loading SSO using 10 retries and max 5sec backoff
TRACE   Authenticate(printurl, )
DEBUG   no CreateTokenResponse for token-response:customer1
TRACE   reauthenticate() for Default
TRACE   registerClient()
TRACE   Checking cache for RegisterClientData
TRACE   Registering new client with AWS SSO

I presume it should print a URL for me to use to setup my token.

Contents of ~/.aws-sso/config.yaml:

SSOConfig:
    customer1:
        SSORegion: eu-central-1
        StartUrl: https://customer1.awsapps.com/start
        AuthUrlAction: print
    customer2:
        SSORegion: eu-central-1
        StartUrl: https://customer2.awsapps.com/start
        AuthUrlAction: print
    customer3:
        SSORegion: eu-central-2
        StartUrl: https://customer3.awsapps.com/start
        AuthUrlAction: print
DefaultSSO: customer1
DefaultRegion: en-central-1
ConsoleDuration: 720
CacheRefresh: 168
Threads: 5
MaxBackoff: 5
MaxRetry: 10
AutoConfigCheck: true
UrlAction: print
ConfigProfilesUrlAction: open
LogLevel: error
HistoryLimit: 10
HistoryMinutes: 1440
ProfileFormat: "{{ FirstItem .AccountName (.AccountAlias | nospace) }}:{{ .RoleName }}"
AccountPrimaryTag:
    - AccountName
    - AccountAlias
    - Email
PromptColors:
    descriptionbgcolor: Turquoise
    descriptiontextcolor: Black
    inputbgcolor: DefaultColor
    inputtextcolor: DefaultColor
    prefixbackgroundcolor: DefaultColor
    prefixtextcolor: Blue
    previewsuggestionbgcolor: DefaultColor
    previewsuggestiontextcolor: Green
    scrollbarbgcolor: Cyan
    scrollbarthumbcolor: LightGrey
    selecteddescriptionbgcolor: DarkGray
    selecteddescriptiontextcolor: White
    selectedsuggestionbgcolor: DarkGray
    selectedsuggestiontextcolor: White
    suggestionbgcolor: Cyan
    suggestiontextcolor: White
ListFields:
    - AccountIdPad
    - AccountAlias
    - RoleName
    - Profile
    - Expires
FullTextSearch: true
@DaveQB DaveQB added the bug Something isn't working label Oct 20, 2024
@synfinatic
Copy link
Owner

Mind trying the latest v2.0 beta available in the downloads section here on github?

@DaveQB
Copy link
Author

DaveQB commented Oct 20, 2024
edited
Loading

Thank you. Sure thing. Looks like same result, unfortunately. It has been on that output for 35 minutes now.

> aws-sso version
AWS SSO CLI Version 2.0.0-beta4 -- Copyright 2021-2024 Aaron Turner
1031acd4a28533e7b662d2387579786c71f04ae4 (v2.0.0-beta4) built at 2024-09-30T02:15:15+0000

> aws-sso setup profiles -L trace
INFO  unable to open cache file error="open /home/david/.config/aws-sso/cache.json: no such file or directory"
WARN  unable to load keyring data error="The specified item could not be found in the keyring"
DEBUG loading SSO retries=10 maxBackoff=5
DEBUG refreshing SSO cache SSOname=customer1
ERROR AccessToken Unauthorized Error; refreshing error="operation error SSO: ListAccounts, https response error StatusCode: 401, RequestID: 6a90ef65-1a51-4ef0-ae80-256576257dcb, UnauthorizedException: Session token not found or invalid"
TRACE reauthenticate() storeKey=customer1
TRACE registerClient()
TRACE Checking cache for RegisterClientData
TRACE Registering new client with AWS SSO

It feels like it is trying to launch a browser 🤷🏻‍♂️, rather than print the URL. I am running on this on a remote desktop over SSH, if that matters.

@synfinatic
Copy link
Owner

Nope, not trying to launch a browser yet. My guess is your system can't talk to the AWS Identity Center OIDC endpoint when it makes the RegisterClient API call.

Made you a custom binary with additional trace log information which should help:
aws-sso-2.0.0-beta5-linux-amd64.zip

That said, I do see somewhat strange log and assuming the above binary hangs at:

TRACE Registering new client with AWS SSO ClientName=aws-sso-cli ClientType=public

Please add the line to your config.yaml:

SecureStore: file

And try again. FWIW, it should only take a second or so to complete the API call and print the next line.

@DaveQB
Copy link
Author

DaveQB commented Oct 21, 2024

Thanks for this. I'll try now.

Just a bit of background. My firewall doesn't block any outbound ports. This desktop is my work computer. Used 99.9% used over SSH (mini computer, always on, low power). It is my hub for Terraform, Git and AWSCLI. I have been copying and pasting the env vars from the SSO page to access each customer's accounts, but in looking for a smarter system, perplexity.ai sent me to this project.

@DaveQB
Copy link
Author

DaveQB commented Oct 21, 2024

Thanks so much for your time.

> ./aws-sso-2.0.0-beta5-linux-amd64 setup profiles -L trace
INFO  unable to open cache file error="open /home/david/.config/aws-sso/cache.json: no such file or directory"
WARN  unable to load keyring data error="The specified item could not be found in the keyring"
DEBUG loading SSO retries=10 maxBackoff=5
DEBUG refreshing SSO cache SSOname=customer1
ERROR AccessToken Unauthorized Error; refreshing error="operation error SSO: ListAccounts, https response error StatusCode: 401, RequestID: 0bfbcbe6-4cef-4d85-9002-00f1487cfed8, UnauthorizedException: Session token not found or invalid"
TRACE reauthenticate() storeKey=customer1
TRACE registerClient()
TRACE Checking cache for RegisterClientData storeKey=customer1
TRACE Registering new client with AWS SSO ClientName=aws-sso-cli ClientType=public
TRACE Registered new client with AWS SSO ClientId=ds6jQDXE5qspNsYFADlXwWV1LWNlbnRyYWwtMQ ClientSecretExpiresAt=1737250750
^C

> echo 'SecureStore: file' >>  ~/.config/aws-sso/config.yaml
> ./aws-sso-2.0.0-beta5-linux-amd64 setup profiles -L trace
INFO  unable to open cache file error="open /home/david/.config/aws-sso/cache.json: no such file or directory"
Select password:
Verify password:
WARN  unable to load keyring data error="The specified item could not be found in the keyring"
DEBUG loading SSO retries=10 maxBackoff=5
DEBUG refreshing SSO cache SSOname=customer1
ERROR AccessToken Unauthorized Error; refreshing error="operation error SSO: ListAccounts, https response error StatusCode: 401, RequestID: e59a3c2f-17da-4831-a352-d3691bb63e8f, UnauthorizedException: Session token not found or invalid"
TRACE reauthenticate() storeKey=customer1
TRACE registerClient()
TRACE Checking cache for RegisterClientData storeKey=customer1
TRACE Registering new client with AWS SSO ClientName=aws-sso-cli ClientType=public
TRACE Registered new client with AWS SSO ClientId=[REDACTED] ClientSecretExpiresAt=1737250769
TRACE <- reauthenticate()
TRACE startDeviceAuthorization() storeKey=customer1
DEBUG Created OIDC device code storeKey=customer1 expires=600

        Verify this code in your browser: [REDACTED]
TRACE <- reauthenticate()
TRACE getDeviceAuthInfo()
TRACE <- reauthenticate()
Please open the following URL in your browser:

https://device.sso.eu-central-1.amazonaws.com/?user_code=[REDACTED]

INFO  Waiting for SSO authentication...
TRACE createToken()

Oh!! Was SecureStore: file something I missed in the docs?
It was. Sorry! I did find "getting started quickly" a little harder than expected.

SecureStore supports the following backends:

    file - Encrypted local files (OS agnostic and default on Linux)

It does have a sane default though. Odd I needed to set that to file get progress 🤔

@DaveQB
Copy link
Author

DaveQB commented Oct 21, 2024

Just checked with v1.17.0 and we have success there too. The issue was needing to set SecureStore: file even though that it the default.

WARNING The specified item could not be found in the keyring

It must have been trying to use a keyring of some sort 🤷🏻‍♂️

@synfinatic synfinatic added this to the 2.0.0 milestone Oct 21, 2024
@synfinatic
Copy link
Owner

Well, this is definitely a bug. Just to confirm, this is a native Ubuntu box and not running under Windows WSL?

@DaveQB
Copy link
Author

DaveQB commented Oct 21, 2024

A bit of a relief that it wasn't an oversight by me that wasted your time 😃
Thanks for your fast responses.

Correct.

> uname -a
Linux kogan02 6.8.0-41-generic #41-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug  2 20:41:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

> lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 24.04.1 LTS
Release:        24.04
Codename:       noble

> cat /etc/debian_version
trixie/sid

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
2 participants
@synfinatic @DaveQB