Aws-cli: aws2 configure sso barfs on null email addresses in account list
When running aws2 configure sso, aws2 breaks when parsing the list of returned accounts, if an account has a null emailAddress. Here's a sample from a run using the --debug switch:
2019-11-09 18:54:04,691 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"nextToken":null,"accountList":[{"accountId":"111111111111","accountName":"foo","emailAddress":null},{"accountId":"222222222222","accountName":"bar","emailAddress":"[email protected]"},{"accountId":"333333333333","accountName":"baz","emailAddress":"[email protected]"},{"accountId":"444444444444","accountName":"quux","emailAddress":"[email protected]"},{"accountId":"555555555555","accountName":"blargh","emailAddress":"[email protected]"},{"accountId":"666666666666","accountName":"logs","emailAddress":"[email protected]"},{"accountId":"777777777777","accountName":"blahonga","emailAddress":null},{"accountId":"888888888888","accountName":"main-ct","emailAddress":"[email protected]"}]}'
2019-11-09 18:54:04,692 - MainThread - botocore.hooks - DEBUG - Event needs-retry.sso.ListAccounts: calling handler <botocore.retryhandler.RetryHandler object at 0x1052f3f50>
2019-11-09 18:54:04,692 - MainThread - botocore.retryhandler - DEBUG - No retry needed.
There are 8 AWS accounts available to you.
2019-11-09 18:54:04,711 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
File "site-packages/awscli/clidriver.py", line 278, in main
File "site-packages/awscli/customizations/commands.py", line 190, in __call__
File "site-packages/awscli/customizations/commands.py", line 187, in __call__
File "site-packages/awscli/customizations/configure/sso.py", line 291, in _run_main
File "site-packages/awscli/customizations/configure/sso.py", line 187, in _prompt_for_account
File "site-packages/awscli/customizations/configure/sso.py", line 171, in _handle_multiple_accounts
File "site-packages/awscli/customizations/wizard/selectmenu.py", line 71, in select_menu
File "site-packages/prompt_toolkit/application/application.py", line 736, in run
File "site-packages/prompt_toolkit/application/application.py", line 710, in run
File "site-packages/prompt_toolkit/eventloop/future.py", line 151, in result
File "site-packages/prompt_toolkit/eventloop/coroutine.py", line 92, in step_next
File "site-packages/prompt_toolkit/application/application.py", line 685, in _run_async2
File "site-packages/prompt_toolkit/eventloop/coroutine.py", line 88, in step_next
File "site-packages/prompt_toolkit/application/application.py", line 628, in _run_async
File "site-packages/prompt_toolkit/application/application.py", line 471, in _redraw
File "site-packages/prompt_toolkit/renderer.py", line 587, in render
File "site-packages/prompt_toolkit/layout/containers.py", line 678, in write_to_screen
File "site-packages/prompt_toolkit/layout/containers.py", line 722, in _draw_float
File "site-packages/prompt_toolkit/layout/containers.py", line 1349, in preferred_width
File "site-packages/prompt_toolkit/layout/containers.py", line 1390, in _merge_dimensions
File "site-packages/prompt_toolkit/layout/containers.py", line 1338, in preferred_content_width
File "site-packages/awscli/customizations/wizard/selectmenu.py", line 123, in preferred_width
File "site-packages/awscli/customizations/wizard/selectmenu.py", line 123, in <genexpr>
File "site-packages/awscli/customizations/wizard/selectmenu.py", line 122, in <genexpr>
File "site-packages/awscli/customizations/configure/sso.py", line 164, in _display_account
KeyError: 'emailAddress'
2019-11-09 18:54:04,723 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255
'emailAddress'
PeterBengtson
All 5 comments
I appear to be affected by this issue as well. Further, I'm not sure why the JSON response is showing 3 of my organization's 17 accounts with null for email addresses, when the 3 accounts indicating null for an email address clearly have an AccountEmail and SSOUserEmail address populated for them in the master account's Service Catalog Provisioned products list (our landing zone was set up through Control Tower, if that matters). Happy to look somewhere else if I'm overlooking something obvious, but I don't see any immediate differences between the 3 accounts that have null for an email address and the 14 that do not.
sleavitt
on 10 Nov 2019
Ours is also a Control Tower installation. We clearly have the same issue. The code doesn't expect to ever receive a null email address, but it does happen. Should be easy to fix.
PeterBengtson
on 10 Nov 2019
Interesting, not sure why this would come back as null. I'm also not sure if this is expected service behavior or should be considered a bug in SSO's API. Either way, I think the CLI could be a little more defensive here.
While I work on getting a fix in for this, it's still possible to manually setup the CLI profile by manually editing your ~/.aws/config with the desired sso configuration:
[profile sso-profile]
sso_start_url = https://d-1234.awsapps.com/start
sso_region = us-west-2
sso_account_id = 123412341234
sso_role_name = ReadOnly
Then you can run aws sso login --profile sso-profile to login if needed.
joguSD
on 11 Nov 2019
Thanks for the workaround!
PeterBengtson
on 12 Nov 2019
Fix for this was merged in #4654
joguSD
on 12 Dec 2019
Related issues
pawelkilian
路
3Comments
vadimkim
路
3Comments
kangman
路
3Comments
motilevy
路
3Comments
alexejk
路
3Comments
Most helpful comment
Interesting, not sure why this would come back as
null. I'm also not sure if this is expected service behavior or should be considered a bug in SSO's API. Either way, I think the CLI could be a little more defensive here.While I work on getting a fix in for this, it's still possible to manually setup the CLI profile by manually editing your
~/.aws/configwith the desired sso configuration:Then you can run
aws sso login --profile sso-profileto login if needed.