aws-sdk-js-v3: Cannot use AWS SSO with assume role when source_profile uses the sso_session option

Checkboxes for prior research

Describe the bug

AWS SDK JS v3 is not able to resolve credentials of a profile with role_arn and source_profile fields when the source profile uses the sso_session option.

SDK version number

@aws-sdk/credential-provider-sso@3.338.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v18.16.0

Reproduction Steps

  1. Create file called config with following content:
[sso-session mysso]
sso_start_url = https://mysso.awsapps.com/start
sso_region = eu-west-1

[profile first_profile]
sso_session = mysso
sso_account_id = 000000000000
sso_role_name = MyRole

[profile second_profile]
source_profile = first_profile
role_arn = arn:aws:iam::000000000000:role/another_role
  1. Create file called index.js with following content:
import {GetCallerIdentityCommand, STSClient} from "@aws-sdk/client-sts"

const client = new STSClient({});
const cmd = new GetCallerIdentityCommand({})
console.log(await client.send(cmd))
  1. Execute the following command:
env AWS_CONFIG_FILE=./config AWS_REGION=eu-west-1 AWS_PROFILE=second_profile node index.js

Please note that the configuration with placeholder values for sso_start_url, sso_account_id, sso_role_name and role_arn fields is sufficient to reproduce the issue with the SDK (valid values are not required for exception to be thrown). However, to verify potential fixes you’ll need to fill in real values in the configuration.

Observed Behavior

AWS SDK JS v3 fails to resolve credentials with validation error on the source profile (“first_profile” in the example):

/example/node_modules/@aws-sdk/credential-provider-sso/dist-cjs/validateSsoProfile.js:8
        throw new property_provider_1.CredentialsProviderError(`Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", ` +
              ^

CredentialsProviderError: Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", "sso_region", "sso_role_name", "sso_start_url". Got sso_session, sso_account_id, sso_role_name
Reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
    at validateSsoProfile (/example/node_modules/@aws-sdk/credential-provider-sso/dist-cjs/validateSsoProfile.js:8:15)
    at resolveSsoCredentials (/example/node_modules/@aws-sdk/credential-provider-ini/dist-cjs/resolveSsoCredentials.js:8:136)
    at resolveProfileData (/example/node_modules/@aws-sdk/credential-provider-ini/dist-cjs/resolveProfileData.js:28:66)
    at resolveAssumeRoleCredentials (/example/node_modules/@aws-sdk/credential-provider-ini/dist-cjs/resolveAssumeRoleCredentials.js:30:55)
    at resolveProfileData (/example/node_modules/@aws-sdk/credential-provider-ini/dist-cjs/resolveProfileData.js:16:80)
    at /example/node_modules/@aws-sdk/credential-provider-ini/dist-cjs/fromIni.js:8:56
    at async coalesceProvider (/example/node_modules/@aws-sdk/property-provider/dist-cjs/memoize.js:14:24)
    at async SignatureV4.credentialProvider (/example/node_modules/@aws-sdk/property-provider/dist-cjs/memoize.js:33:24)
    at async SignatureV4.signRequest (/example/node_modules/@aws-sdk/signature-v4/dist-cjs/SignatureV4.js:87:29)
    at async /example/node_modules/@aws-sdk/middleware-signing/dist-cjs/middleware.js:16:18 {
  tryNextLink: false,
  '$metadata': { attempts: 1, totalRetryDelay: 0 }
}

Expected Behavior

AWS SDK JS v3 is able to resolve credentials for the profile that assumes a role using a profile that for which an SSO session provides some of the SSO related configuration values. Here’s how the same config works with AWS CLI v2:

 env AWS_CONFIG_FILE=./config AWS_REGION=eu-west-1 AWS_PROFILE=second_profile aws sts get-caller-identity
{
    "UserId": "AROA3KHW7455TPABCRXHN:botocore-session-1684992352",
    "Account": "000000000000",
    "Arn": "arn:aws:sts::000000000000:assumed-role/another_role/botocore-session-1684992352"
}

Possible Solution

No response

Additional Information/Context

No response

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 9
  • Comments: 16 (8 by maintainers)

Commits related to this issue

Most upvoted comments

Is there any reason I would suddenly start experiencing this issue? As of today?

+6
chlorophant on Jan 30, 2024

@yenfryherrerafeliz: Any chance to get some eyes from the team to check this issue? There’s an open pull request with a fix to this issue available: https://github.com/aws/aws-sdk-js-v3/pull/4820. Would be great if you or someone else from the SDK team would have some time to review that. Thanks!

+5
sjakthol on Oct 7, 2023

Hi everyone on the thread. I appreciate your patience on this. I will re-review this with the team and see if we can assign a higher priority to this.

Thanks again, Ran~

+2
RanVaknin on Jan 29, 2024

I am also experiencing this issue. I get the following error if ~/.aws/config has profiles which use sessions:

CredentialsProviderError: Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", "sso_region", "sso_role_name", "sso_start_url". Got sso_session, sso_account_id, sso_role_name, region, output

This format does not work:

[profile connection-platform-qa]
sso_session = default
sso_account_id = 123
sso_role_name = RoleA
region = eu-west-2
output = json
[sso-session default]
sso_start_url = https://mysso.awsapps.com/start#/
sso_region = eu-west-2
sso_registration_scopes = sso:account:access

This format (which I believe is equivalent, but does not use sessions) works fine:

[profile connection-platform-qa]
sso_start_url = https://mysso.awsapps.com/start#/
sso_region = eu-west-2
sso_account_id = 123
sso_role_name = RoleA
region = eu-west-2
output = json
+2
asibs on Aug 11, 2023

I believe the issue and the workaround you describe are not exactly the same that is described here.

The SDK is able to load credentials for profiles that use sso-session option. Setting AWS_PROFILE to an sso-session based profile works just fine with the default credential provider. There’s no issue with that.

This issue is specifically about using an sso-session based profile as a source_profile for a profile with role_arn option (profile that assumes a role using credentials of the source profile). The SDK is unable to resolve the source_profile correctly when the source profile is sso-session based.

If you set AWS_PROFILE to a profile whose source_profile points to sso-session based profile, the SDK fails to resolve credentials regardless of how the SDK is used.

Using AWS_PROFILE variable is not a workaround for the issue with the SDK itself. But it can work around the sso-session profile loading issue in CLI apps depending on how they are using the SDK.

+2
sjakthol on Jul 26, 2023

I’ve opened a PR to modify the skip condition in the defaultProvider https://github.com/aws/aws-sdk-js-v3/pull/5746.

The defaultProvider chain contains two (2) paths to the SSO provider. One is at the top level, if the user inputs SSO related fields in code. The second is in a later step via the INI provider.

With the added skip-check, it was incorrectly abandoning the direct SSO provider if any single field was missing. This is incompatible because there are two different sets of information that constitute a valid SSO initialization, one of which is the session based configuration. If the profile still had SSO information, the second path to the SSO provider via INI would still work.

+1
kuhe on Jan 30, 2024

Reverting the sdk version from 3.502.0 to 3.501.0 fixed it for me.

+1
nick-kang on Jan 30, 2024

Gentle bump – any chance someone from the SDK team can take a look at the proposed fix in https://github.com/aws/aws-sdk-js-v3/pull/4820?

+1
pcholakov on Jan 29, 2024
Read more comments on GitHub
← aws-sdk-js-v3: Can not pass PassThrough stream to send object
aws-sdk-js-v3: Cannot use SDK v3 with dynamodb local - nodejs v18 →