Aws-sam-cli: Should sam local support named profiles created by aws cli v2 sso commands?

Created on 3 Mar 2020 · 11Comments · Source: aws/aws-sam-cli

Description

We have sam projects configured to start under a named profile. When that profile's credentials are populated in the ~/.aws/credentials file, they are sent as expected in requests from sam local to aws resources.

However when the profile credentials are obtained by issuing an aws sso login command, using aws cli v2, they do not seem to get picked up. Calls from sam local functions to aws cloud resources are throwing an error

The security token included in the request is invalid.

Steps to reproduce

Remove named profile credentials from ~/.aws/credentials file

Obtain new credentials via the aws sso login command

Invoke sam local function that accesses an aws cloud resource like s3 or dynamodb

Observed result

Calls to aws cloud resources are rejected with a security token error.

Expected result

Calls to aws cloud resources behave the same as they do when the named profile credentials are obtained from a named profile defined in ~/.aws/credentials file.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

OS: Windows, Mac
sam --version: 0.38.0

Add --debug flag to command you are running

arecredentials typfeature

Source

danludwig

👍21

Most helpful comment

Just ran into this as well. It would be great if I could pass the AWS CLI v2 generated profile name into SAM and have it work out of the box.

jplock on 10 Apr 2020

👍5

All 11 comments

Hello? Anyone there?

danludwig on 4 Mar 2020

Hi @danludwig, I don't have access to any sso solution supported by aws-cli at the moment. Can you please confirm that when you do aws sso login temporary credentials are added to ~/.aws/credentials file. Also please confirm if they in following format:

[profile-name]
aws_access_key_id=XXXXXXXXXXXXXXXX
aws_secret_access_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
aws_session_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==

Thanks

c2tarun on 13 Mar 2020

Hi @c2tarun, I tried AWS SSO (command aws configure sso) and it configures a profile in the config file, but it has different fields in it:

[profile c*****]
sso_start_url = https://a*****.awsapps.com/start
sso_region = eu-west-1
sso_account_id = 4*******
sso_role_name = A*******

Moreover SSO relies on additional files in the path .aws/sso/... and store the temporary credentials in .aws/cli/cache/...

GuidoNebiolo on 15 Mar 2020

@c2tarun the sso login command does NOT update the credentials file. Apparently it works using subfolders under that location, ~/.aws/cli and ~/.aws/sso. I take it this means sam does not support the new sso login functionality like the aws v2 cli does?

danludwig on 16 Mar 2020

Just ran into this as well. It would be great if I could pass the AWS CLI v2 generated profile name into SAM and have it work out of the box.

jplock on 10 Apr 2020

👍5

FYI: Im using linaro-its/aws2-wrap as workaround.

bigwheel on 11 Apr 2020

👍3

Also running into this

M1kep on 23 Jun 2020

Also finding this to be an issue

FYI - I'm using https://www.npmjs.com/package/@mhlabs/sam-sso-wrapper, but would be great with native support

ljacobsson on 24 Jul 2020

boto3 supports loading credentials cached by aws sso login as of 1.14.0. I opened an issue for updating the boto3 version SAM CLI uses as #2129

benkehoe on 24 Jul 2020

🎉2

I know this is a bit old but for those who find it - I was having a similar issue with sam not picking up cached sso creds. Turns out I was on version 1.0, after a quick update to 1.3.2. Not sure what version fixed it but, now all my commands are working and even the above use case with a local invoke that requests a resource from the cloud.