Terraform-provider-aws: Support AWS CLI v2 AWS Single Sign-On

Thanks for submitting this issue, @e-moshaya. I'd like to clarify what you're seeing.

When you're trying to use the AWS SSO credentials with Terraform, what are the commands you execute on the command line?

Does calling aws2 sts get-caller-identity give you the credentials you expect?

Hi @gdavison lookslike aws2 sso doesn't use ~/.aws/credentials file at all as all I have in my ls ~/.aws/ directory is:

cli config  sso

The ~/.aws/config has:

[profile default]
sso_start_url = https://sso.awsapps.com/start
sso_region = eu-west-2
sso_account_id = 359814823534
sso_role_name = AdministratorAccess
region = eu-west-2
output = json

The output for aws2 sts get-caller-identity are as expected:

{
    "UserId": "AROAR2UFOKOFEBO4KCB56:[email protected]",
    "Account": "359814823534",
    "Arn": "arn:aws:sts::xxxxxxxxxxx:assumed-role/AWSReservedSSO_AdministratorAccess_22134e45a32c8395/[email protected]"
}

However, the output for aws v1 is not working:
aws sts get-caller-identity

Unable to locate credentials. You can configure credentials by running "aws configure".

As a workaround, if either of the ~/.aws/cli or ~/.aws/sso files are structured like the old ~/.aws/credentials file, for now you could add the shared_credentials_file parameter to your Terraform configuration.

I do see that https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html says that the v2 CLI is not ready for production use, but this is definitely something that needs to be implemented.

@gdavison both sso and cli are folders with cache files in them.. There are no shared credentials files involved.

looking forward to it

FWIW, in the meantime this wrapper exists that will generate temporary credentials using aws2 then export them to the current session

aws2-wrap --profile SSOProfileName --exec "terraform plan"

https://github.com/linaro-its/aws2-wrap

(found here https://github.com/aws/aws-cli/issues/4668).

It works great when you only need a single set of credentials for a deployment, but I haven't figured out a way to generate a second set as needed (e.g. separate profiles for providers and backends).

AWS CLI v2 is now generally available.

https://aws.amazon.com/blogs/developer/aws-cli-v2-is-now-generally-available/

Is there any timeline to this feature? Would be cool to see when this feature would be supported natively by terraform aws provider. We have been using https://github.com/ddimitrioglo/aws-saml implementation for various automations, but embedding aws cli v2 would be an important step for us going forward!

In my cursory looking, its my understanding that the AWS Go SDK will need to first implement support for the sso_* configurations in the shared configuration file (e.g. in https://github.com/aws/aws-sdk-go/blob/master/aws/session/shared_config.go) or at least the SSO token cache (based off https://github.com/aws/aws-cli/tree/v2/awscli/customizations/sso). Depending on that implementation, the Terraform AWS Provider will either implicitly support SSO token access by nature of updating the AWS Go SDK or we can enable any necessary configurations to do so. I do not see any current upstream GitHub issues relating to this, so it may be worth starting there: https://github.com/aws/aws-sdk-go/issues

That being said, it is very likely that the Terraform AWS Provider cannot (or at least should not) implement the full SSO login workflow via opening a browser on expired SSO tokens unless there is support in the AWS Go SDK for this as well.

The AWS SDK GO v2 is in a different repo: https://github.com/aws/aws-sdk-go-v2

It doesn't seem to have the same sessions and config stuff as the other sdk. Their example looks pretty different.

Looks like CLI now supports SSO: https://docs.aws.amazon.com/cli/latest/reference/sso/index.html#cli-aws-sso
Updated today.

Hi everyone, i read @borrell solution but, the solution from aws2-wrap is not safe for multiple profiles in same project.
to solve this problem, i forked to
https://github.com/claytonsilva/aws-sso-cred-restore

and now i fill ~/.aws/credentials file with my sso profiles (more than 1 in a single command)

I solve my problema until terraform solve this problem like azure provider experience.

I took at stab at writing a credential_process to solve this problem, which means you won't need to call scripts randomly, most applications are already smart enough to properly re-call the process when the credentials expire: https://github.com/flyinprogrammer/aws-sso-fetcher

it also does some caching so that sequential calls use a file until the credential expires.
It's pretty alpha software, but it seems to work ¯_(ツ)_/¯ Issues and feedback welcome.

We had to use terraform with AWS account which supported SSO login only. Since AWS access key and secret expire, we've created a bunch of scripts to workaround the issue. I thought I'd share them here you might find it useful.
Check out fragment from our Taskfile.yml (yaml based task runner, Makefile substitute): https://gist.github.com/mknapik/7220a2dda4a66b2710784b7a658bd491
Running task aws:login would login with SSO if necessary and migrate credentials to the format understood by terraform.

Nice @mknapik Though I recommend you take a look at @flyinprogrammer 's work above yours... basically it is similar to the ecr-cred-helper for docker login. Quite.. a lovely workaround!

While the workaround is nice, it would be great to have this supported natively. Which project is this awaiting right now and are there any issues we can go vote on ?

@valorl https://github.com/aws/aws-sdk-go/issues/3186

I see that the AWS Go SDK appears to support AWS SSO:

https://docs.aws.amazon.com/sdk-for-go/api/service/sso/

I have no idea whether this is something that the Terraform AWS provider can use, or whether the aws-sdk-go issue cited by @bflad is the better way forward. I'm curious what others think.

From https://github.com/aws/aws-cli/issues/4982 I ended up yawsso to sync v1 credentials from v2 SSO login session cache. So that I could keep going my daily terraform ops. While waiting to resolve this issue sooner!

From aws/aws-cli#4982 I ended up yawsso to sync v1 credentials from v2 SSO login session cache. So that I could keep going my daily terraform ops. While waiting to resolve this issue sooner!

Thank you @victorskl. This works great!

fwiw, aws vault supports this as an example of using the go sdk to support sso natively in tf https://github.com/99designs/aws-vault/pull/549

Just ran into this same problem

Error: error configuring S3 Backend: no valid credential sources for S3 Backend found.

managed to get it working with https://github.com/flyinprogrammer/aws-sso-fetcher but it would be nice this supported natively

Just ran into this same problem

Error: error configuring S3 Backend: no valid credential sources for S3 Backend found.

managed to get it working with https://github.com/flyinprogrammer/aws-sso-fetcher but it would be nice this supported natively

Been working fine on v6 beta

There's another option: You can use STS AssumeRole to create a temporary session token and export it into the environment.
That way you don't have to cache anything.
The downside is that you need to find the ARN of a role you can assume and you also need to parse the output of AWSCLI.

Example:

aws sts assume-role --role-arn "arn:aws:iam::123456:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_RoleName_123abcd" --role-session-name "temporary-session"

fwiw, aws vault supports this as an example of using the go sdk to support sso natively in tf 99designs/aws-vault#549

For those who need the actual command, it's aws-vault exec ${AWS_PROFILE} -- terraform plan

see https://github.com/99designs/aws-vault/pull/653

fwiw, aws vault supports this as an example of using the go sdk to support sso natively in tf 99designs/aws-vault#549

For those who need the actual command, it's aws-vault exec ${AWS_PROFILE} -- terraform plan

see 99designs/aws-vault#653

Adding onto this, for anyone that wants to interact with multiple accounts in the same Terraform workspace, you can do so by using the credential_process option in your ~/.aws/config file for each AWS profile. Then you can specify the profile on the Terraform provider block just like normal.

[profile myssoprofile]
sso_start_url=https://example.awsapps.com/start
sso_region=us-east-1
sso_account_id=123456789000
sso_role_name=AWSAdministratorAccess
credential_process = aws-vault exec myssoprofile --json

I didn't upgraded my aws-vault - it was still v5.2.0, Hence my aws-vault wasn't working, where as aws cli was working perfectly.

==> Upgrading 1 outdated package:
aws-vault 5.2.0 -> 6.2.0

After upgrading aws-vault version to 6.2.0, it works!

All I used is a below config, without credential_process
```[profile myssoprofile]
sso_start_url=https://example.awsapps.com/start
sso_region=us-east-1
sso_account_id=123456789000
sso_role_name=AWSAdministratorAccess

With sean-nixon's approach of adding the credential_process line to ~/.aws/config, you may call terraform (e.g. terraform plan) naturally without the wrapping aws-vault exec command.

I tried credential_process solution. But it doesn't work for me.
SSO web page won't open at first time command (e.g.: terraform plan )

[profile myssoprofile]
...
credential_process = aws-vault exec myssoprofile --json --no-session

$ terraform plan

Error: error configuring S3 Backend: no valid credential sources for S3 Backend found.

Please see https://www.terraform.io/docs/backends/types/s3.html
for more information about providing credentials.

Error: ProcessProviderExecutionError: credential process timed out

I always exec aws-vault exec myssoprofile --json --no-session before terraform plan everyday. (my SSO profile TTL is 12h)
What should I set something additionally? w/o --no-session makes the same result.

I am using Ubuntu18.04 on WSL2.