argo-cd: SSO with AWS' Identity Center does not work.

Checklist:

I’ve searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
I’ve included steps to reproduce the bug.
I’ve pasted the output of argocd version.

Describe the bug

We are trying to setup SSO with AWS’ IAM Identity Center and are facing the following error:

time="2023-07-25T12:56:02Z" level=info msg="finished unary call with code Unauthenticated" error="rpc error: code = Unauthenticated desc = no session information" grpc.code=Unauthenticated grpc.method=List grpc.service=cluster.ClusterService grpc.start_time="2023-07-25T12:56:02Z" grpc.time_ms=0.247 span.kind=server system=grpc

Unfortunately, there does not exist any documentation of successful attempts to use IAM Identity Center for SSO with ArgoCD. The Slack channel couldn’t help us either, so we rely on help here now. A similar issue (using OneLogin instead of IAM Identity Center) has been reported here: https://github.com/argoproj/argo-cd/issues/5450

To Reproduce

Current dex.config and rbac:

configs:
  cm:
    dex.config: |
      logger:
        level: debug
        format: json
      connectors:
      - type: saml
        id: saml
        name: saml
        config:
          ssoURL: https://portal.sso.eu-central-1.amazonaws.com/saml/assertion/xxx
          entityIssuer: https://xxx.amazonaws.com/api/dex/callback
          caData: |
            xxx
          usernameAttr: subject
          emailAttr: email

rbac:
    policy.csv: |
      g, myusername, role:admin,
    scopes: "[name]"
    policy.default: role:readonly

Expected behavior

Screenshots

Version

argocd: v2.7.9+0ee33e5.dirty
  BuildDate: 2023-07-24T18:26:31Z
  GitCommit: 0ee33e52dd1f1bb944488584fc6f854b929f1180
  GitTreeState: dirty
  GoVersion: go1.20.6
  Compiler: gc
  Platform: darwin/arm64
argocd-server: v2.7.9+0ee33e5.dirty
  BuildDate: 2023-07-24T18:26:31Z
  GitCommit: 0ee33e52dd1f1bb944488584fc6f854b929f1180
  GitTreeState: dirty
  GoVersion: go1.20.6
  Compiler: gc
  Platform: darwin/arm64
  Kustomize Version: v5.1.0 2023-06-19T16:53:36Z
  Helm Version: v3.12.2+g1e210a2
  Kubectl Version: v0.24.2
  Jsonnet Version: v0.19.1

Logs

time="2023-07-25T12:56:02Z" level=info msg="finished unary call with code Unauthenticated" error="rpc error: code = Unauthenticated desc = no session information" grpc.code=Unauthenticated grpc.method=List grpc.service=cluster.ClusterService grpc.start_time="2023-07-25T12:56:02Z" grpc.time_ms=0.247 span.kind=server system=grpc

About this issue

Original URL
State: open
Created a year ago
Reactions: 4
Comments: 16 (6 by maintainers)

Most upvoted comments

@nicl-dev we’ve make it work!

In AWS Identity Center configuration should be have the following attributes configured:

Application start URL - (optional): https://<ARGO_CD_DOMAIN>/auth/login?return_url=https%3A%2F%2F<ARGO_CD_DOMAIN>%2Fapplications

Application ACS URL: https://<ARGO_CD_DOMAIN>/api/dex/callback

Application SAML audience: https://<ARGO_CD_DOMAIN>/api/dex/callback

Our dex.config looks like:

dex.config: |
      logger:
        level: debug
        format: json
      connectors:
      - type: saml
        id: aws
        name: "AWS IAM Identity Center"
        config:
          ssoURL: https://portal.sso.eu-central-1.amazonaws.com/saml/assertion/<ID>
          caData: <BASE64_DECODED_CA_CERT>
          entityIssuer: https://<ARGO_CD_DOMAIN>/api/dex/callback
          redirectURI: https://<ARGO_CD_DOMAIN>/api/dex/callback
          usernameAttr: email
          emailAttr: email
          groupsAttr: groups

I hope it helps to make this work.

smeckert on Aug 28, 2023

In addition to @smeckert reply. You need to have proper attribute mapping in AWS Application:

patr00n on Sep 7, 2023

Hi,

In addition to @patr00n and @smeckert If you want it to work on an AWS SSO group basis, this is working for me: :

      policy.default: role:readonly
      policy.csv: |
        p, role:readonly, applications, get, */*, allow
        p, role:readonly, certificates, get, *, allow
        p, role:readonly, clusters, get, *, allow
        p, role:readonly, repositories, get, *, allow
        p, role:readonly, projects, get, *, allow
        p, role:readonly, accounts, get, *, allow
        p, role:readonly, gpgkeys, get, *, allow
        p, role:admin, applications, create, */*, allow
        p, role:admin, applications, update, */*, allow
        p, role:admin, applications, delete, */*, allow
        p, role:admin, applications, sync, */*, allow
        p, role:admin, applications, override, */*, allow
        p, role:admin, applications, action/*, */*, allow
        p, role:admin, certificates, create, *, allow
        p, role:admin, certificates, update, *, allow
        p, role:admin, certificates, delete, *, allow
        p, role:admin, clusters, create, *, allow
        p, role:admin, clusters, update, *, allow
        p, role:admin, clusters, delete, *, allow
        p, role:admin, repositories, create, *, allow
        p, role:admin, repositories, update, *, allow
        p, role:admin, repositories, delete, *, allow
        p, role:admin, projects, create, *, allow
        p, role:admin, projects, update, *, allow
        p, role:admin, projects, delete, *, allow
        p, role:admin, accounts, update, *, allow
        p, role:admin, gpgkeys, create, *, allow
        p, role:admin, gpgkeys, delete, *, allow
        g, <ADMIN GROUP ID AWS SSO>, role:admin
        g, guest, role:readonly
      scopes: '[groups, email]'

zeusal on Sep 27, 2023

Hi again @madclement

Sorry for the misunderstanding.

I assumed that I had used “Identity Center directory” as the identity source.

The Argocd documentation is for that case only. For all other cases change the attribute mapping and/or group id.

zeusal on Nov 9, 2023