You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are two profiles here. The default profile uses AWS SSO to assume the PermissionSetA SSO permission set. The viewer profile assumes a role named ViewerRole using the default SSO role. Using these roles one after another, in either order, should only require one authentication to AWS SSO. However, because granted constructs two different SSO token keys, they require two authentications:
$ assume default
[!] error retrieving IAM Identity Center token from secure storage: The specified item could not be found in the keyring
[i] If the browser does not open automatically, please open this link: https://device.sso.us-west-2.amazonaws.com/?user_code=AAAA-BBBB
[i] Awaiting AWS authentication in the browser
[i] You will be prompted to authenticate with AWS in the browser, then you will be prompted to 'Allow'
[i] Code: AAAA-BBBB
[✔] [default](us-west-2) session credentials will expire in 12 hours
$ granted sso-tokens
https://example.awsapps.com/startMySSOSession ()
$ assume viewer
[!] error retrieving IAM Identity Center token from secure storage: The specified item could not be found in the keyring
[i] If the browser does not open automatically, please open this link: https://device.sso.us-west-2.amazonaws.com/?user_code=AAAA-BBBB
[i] Awaiting AWS authentication in the browser
[i] You will be prompted to authenticate with AWS in the browser, then you will be prompted to 'Allow'
[i] Code: AAAA-BBBB
[✔] [viewer](us-west-2) session credentials will expire in 1 hour
$ granted sso-tokens
https://example.awsapps.com/startMySSOSession ()
https://example.awsapps.com/start ()
I would expect assume viewer to succeed without additional input, but granted doesn't know it can use the cached SSO credentials under the key https://example.awsapps.com/startMySSOSession and instead creates new cached SSO credentials under the key https://example.awsapps.com/start.
I can work around this by including sso_session = MySSOSession in the viewer profile, but it shouldn't be necessary. I think the best choice might be to write a SSOSessionName method on Profile much like Region(context.Context)here. That method would return the first sso_session name set on the profile or any of its parents.
If that plan sounds reasonable, I may be able to submit a PR to that effect.
The text was updated successfully, but these errors were encountered:
granted forms an SSO token key from the root profile's SSO start URL and the current profile's SSO session name. However, when the SSO session name is present only on a parent profile, it is not taken into account, meaning granted cannot find the SSO token in its cache.
For a concrete example, take this
.aws/config:There are two profiles here. The
defaultprofile uses AWS SSO to assume the PermissionSetA SSO permission set. Theviewerprofile assumes a role named ViewerRole using thedefaultSSO role. Using these roles one after another, in either order, should only require one authentication to AWS SSO. However, because granted constructs two different SSO token keys, they require two authentications:I would expect
assume viewerto succeed without additional input, but granted doesn't know it can use the cached SSO credentials under the keyhttps://example.awsapps.com/startMySSOSessionand instead creates new cached SSO credentials under the keyhttps://example.awsapps.com/start.I can work around this by including
sso_session = MySSOSessionin the viewer profile, but it shouldn't be necessary. I think the best choice might be to write aSSOSessionNamemethod onProfilemuch likeRegion(context.Context)here. That method would return the firstsso_sessionname set on the profile or any of its parents.If that plan sounds reasonable, I may be able to submit a PR to that effect.
The text was updated successfully, but these errors were encountered: