Eksctl: Support a new AWSCLI config format with AWS SSO

Created on 18 Nov 2019  ·  7Comments  ·  Source: weaveworks/eksctl

Why do you want this feature?

In my organization, we started using AWS SSO to login AWS Console, to generate AWS session credentials.
And recently, AWSCLI v2 supports AWS SSO that enables us not to need to rewrite the credentials in ~/.aws/credentials.
Before this release, we should rewrite ~/.aws/credentials when the credentials are expired.
It is so useful.

https://aws.amazon.com/jp/blogs/developer/aws-cli-v2-now-supports-aws-single-sign-on/

However, eksctl (not just eksctl) does not support it.
So I have to use fixed credentials, it's troublesome for me. 😢

What feature/behavior/change do you want?

I would be able to run eksctl command with below configuration:

```~/.aws/config
[profile develop]
sso_start_url = https://xyzxyzxyz.awsapps.com/start
sso_region = us-west-2
sso_account_id = 01234567890123
sso_role_name = AdministratorAccess # <- This parameter named 'Permission Sets' by AWS SSO
region = ap-northeast-1
output = json

$ AWS_PROFILE=develop eksctl create cluster -f cluster.yml
```

help wanted kinfeature prioritimportant-longterm
Source
picture aibou
👍15

Most helpful comment

I'm currently using aws2-wrap: https://github.com/linaro-its/aws2-wrap

It would be nice if this was built in though.

picture pfiled on 20 May 2020
🚀5

All 7 comments

Hi, is it something currently being worked on? Should we expect eksctl supporting SSO creds soon or we have to live with IAM users for now?

atifrasheed79 picture atifrasheed79 on 21 Feb 2020

Hello,
I am also facing same issue, I have to use the aws credentials as mentioned by @aibou

shridhar-at-droit picture shridhar-at-droit on 24 Feb 2020

I'm currently using aws2-wrap: https://github.com/linaro-its/aws2-wrap

It would be nice if this was built in though.

pfiled picture pfiled on 20 May 2020
🚀5

Just wishing this issue a happy birthday. It's been a year!

AWS: "Use the aws cli, it's super cool"
Also AWS: "use eksctl to create EKS clusters, it's super cool"

AWS whispering while walking away: "oh they're not fully compatible so good luck to you"

bitva77 picture bitva77 on 24 Nov 2020

btw, I don't know if it is related but i'm getting cryptic error message when running eksctl (using sso profile):
eksctl get clusters --verbose=4

2020-12-28T11:28:01+02:00 [!] retryable error (RequestError: send request failed caused by: Put "http://169.254.169.254/latest/api/token": context deadline exceeded (Client.Timeout exceeded while awaiting headers)) from ec2metadata/GetToken - will retry after delay of 57.510881ms ...

DanielAmmar picture DanielAmmar on 28 Dec 2020

@DanielAmmar yeah I get that when using credentials from an aws configure sso but when I use the creds copied from a browser console login, it works fine with eksctl.

No idea what the difference could possibly be

bitva77 picture bitva77 on 29 Dec 2020

In case like this one or other similar cases where AWS SSO result in incompatibilities with your library and you don't want to play with workarounds or complicated fixes, maybe you can give a try to our open-source project: https://github.com/Noovolari/leapp. It deals with AWS SSO authentication and accounts/roles retrieval then it creates short-lived temporary credentials in .aws/credentials to maximize compatibility with third party tools / sdks.

urz9999 picture urz9999 on 14 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dewittcx picture dewittcx  ·  3Comments
brunojcm picture brunojcm  ·  3Comments
xakraz picture xakraz  ·  4Comments
danielchalef picture danielchalef  ·  3Comments
errordeveloper picture errordeveloper  ·  4Comments