aws
Unable to use SSO to get GovCloud credentials
Describe the bug
I have an SSO config that works on the primary partition, but not GovCloud. It might be a config issue, but since aws configure sso is also affected, it seems like a bug. I have this in ~/.aws/config:
[profile govcloud]
sso_account_id = 012345678910
sso_role_name = my-role
region = us-gov-west-1
sso_region = us-gov-west-1
sso_start_url = https://start.us-gov-west-1.us-gov-home.awsapps.com/directory/d-1234567890#/
But it doesn't work:
$ aws --profile govcloud sso login
An error occurred (InvalidRequestException) when calling the StartDeviceAuthorization operation:
I've tried a few variations of the sso_start_url - removing the # & trailing slash - but get the same result.
Expected Behavior
SSO should work with GovCloud the same as the standard partition.
Current Behavior
Here's a redacted chunk of the debug output. Note there's a failed call to https://oidc.us-gov-west-1.amazonaws.com/device_authorization'.
$ aws --profile image-dev-gov sso login
...
2023-02-08 08:51:32,561 - MainThread - botocore.regions - DEBUG - Calling endpoint provider with parameters: {'Region': 'us-gov-west-1', 'UseDualStack': False, 'UseFIPS': False}
2023-02-08 08:51:32,561 - MainThread - botocore.regions - DEBUG - Endpoint provider result: https://oidc.us-gov-west-1.amazonaws.com
2023-02-08 08:51:32,561 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.sso-oidc.StartDeviceAuthorization: calling handler <function base64_decode_input_blobs at 0x105f6e980>
2023-02-08 08:51:32,561 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.sso-oidc.StartDeviceAuthorization: calling handler <function generate_idempotent_uuid at 0x1035ccb80>
2023-02-08 08:51:32,561 - MainThread - botocore.hooks - DEBUG - Event before-call.sso-oidc.StartDeviceAuthorization: calling handler <function inject_api_version_header_if_needed at 0x1035ce660>
2023-02-08 08:51:32,561 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=StartDeviceAuthorization) with params: {'url_path': '/device_authorization', 'query_string': {}, 'method': 'POST', 'headers': {'Content-Type': 'application/json', 'User-Agent': 'aws-cli/2.9.21 Python/3.11.1 Darwin/22.2.0 source/arm64 prompt/off command/sso.login'}, 'body': b'{"clientId": "redacted", "clientSecret": "redacted", "startUrl": "https://start.us-gov-west-1.us-gov-home.awsapps.com/directory/d-1234567890/"}', 'url': 'https://oidc.us-gov-west-1.amazonaws.com/device_authorization', 'context': {'client_region': 'us-gov-west-1', 'client_config': <botocore.config.Config object at 0x106577990>, 'has_streaming_input': False, 'auth_type': 'none'}}
2023-02-08 08:51:32,562 - MainThread - botocore.hooks - DEBUG - Event request-created.sso-oidc.StartDeviceAuthorization: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x1065493d0>>
2023-02-08 08:51:32,562 - MainThread - botocore.hooks - DEBUG - Event choose-signer.sso-oidc.StartDeviceAuthorization: calling handler <function set_operation_specific_signer at 0x1035cca40>
2023-02-08 08:51:32,562 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://oidc.us-gov-west-1.amazonaws.com/device_authorization, headers={'Content-Type': b'application/json', 'User-Agent': b'aws-cli/2.9.21 Python/3.11.1 Darwin/22.2.0 source/arm64 prompt/off command/sso.login', 'Content-Length': '1407'}>
2023-02-08 08:51:32,562 - MainThread - botocore.httpsession - DEBUG - Certificate path: /opt/homebrew/Cellar/awscli/2.9.21/libexec/lib/python3.11/site-packages/awscli/botocore/cacert.pem
2023-02-08 08:51:32,562 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): oidc.us-gov-west-1.amazonaws.com:443
2023-02-08 08:51:32,663 - MainThread - urllib3.connectionpool - DEBUG - https://oidc.us-gov-west-1.amazonaws.com:443 "POST /device_authorization HTTP/1.1" 400 65
2023-02-08 08:51:32,664 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Wed, 08 Feb 2023 16:51:32 GMT', 'Content-Type': 'application/json', 'Content-Length': '65', 'Connection': 'keep-alive', 'x-amzn-RequestId': 'a15d2c7e-6e81-4c2a-855b-78594c1c2934', 'x-amzn-ErrorType': 'InvalidRequestException:http://internal.amazon.com/coral/com.amazonaws.sso.oidc/'}
2023-02-08 08:51:32,664 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"error":"invalid_request","error_description":"Invalid request"}'
2023-02-08 08:51:32,664 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Wed, 08 Feb 2023 16:51:32 GMT', 'Content-Type': 'application/json', 'Content-Length': '65', 'Connection': 'keep-alive', 'x-amzn-RequestId': 'a15d2c7e-6e81-4c2a-855b-78594c1c2934', 'x-amzn-ErrorType': 'InvalidRequestException:http://internal.amazon.com/coral/com.amazonaws.sso.oidc/'}
2023-02-08 08:51:32,664 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"error":"invalid_request","error_description":"Invalid request"}'
2023-02-08 08:51:32,664 - MainThread - botocore.hooks - DEBUG - Event needs-retry.sso-oidc.StartDeviceAuthorization: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x106581890>>
2023-02-08 08:51:32,664 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2023-02-08 08:51:32,664 - MainThread - botocore.hooks - DEBUG - Event after-call.sso-oidc.StartDeviceAuthorization: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x1065812d0>>
2023-02-08 08:51:32,665 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
File "/opt/homebrew/Cellar/awscli/2.9.21/libexec/lib/python3.11/site-packages/awscli/clidriver.py", line 460, in main
return command_table[parsed_args.command](remaining, parsed_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.9.21/libexec/lib/python3.11/site-packages/awscli/clidriver.py", line 595, in __call__
return command_table[parsed_args.operation](remaining, parsed_globals)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.9.21/libexec/lib/python3.11/site-packages/awscli/customizations/commands.py", line 205, in __call__
rc = self._run_main(parsed_args, parsed_globals)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.9.21/libexec/lib/python3.11/site-packages/awscli/customizations/sso/login.py", line 47, in _run_main
do_sso_login(
File "/opt/homebrew/Cellar/awscli/2.9.21/libexec/lib/python3.11/site-packages/awscli/customizations/sso/utils.py", line 72, in do_sso_login
return token_fetcher.fetch_token(
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.9.21/libexec/lib/python3.11/site-packages/awscli/botocore/utils.py", line 3052, in fetch_token
return self._token(
^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.9.21/libexec/lib/python3.11/site-packages/awscli/botocore/utils.py", line 3037, in _token
token = self._poll_for_token(
^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.9.21/libexec/lib/python3.11/site-packages/awscli/botocore/utils.py", line 2952, in _poll_for_token
authorization = self._authorize_client(start_url, registration)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.9.21/libexec/lib/python3.11/site-packages/awscli/botocore/utils.py", line 2929, in _authorize_client
response = self._client.start_device_authorization(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.9.21/libexec/lib/python3.11/site-packages/awscli/botocore/client.py", line 341, in _api_call
return self._make_api_call(operation_name, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.9.21/libexec/lib/python3.11/site-packages/awscli/botocore/client.py", line 697, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.InvalidRequestException: An error occurred (InvalidRequestException) when calling the StartDeviceAuthorization operation:
Reproduction Steps
Unfortunately, the config for a govcloud account with sso is too large to fit in this margin :)
Possible Solution
No response
Additional Information/Context
No response
CLI version used
2.9.21
Environment details (OS name and version, etc.)
mac os 13.1
I've been using AWS SSO with GovCloud and the aws-cli login for a while now. Hasn't been a problem...
[profile lcg-govcloud]
sso_start_url = https://start.us-gov-home.awsapps.com/directory/{{DirectoryId}}
sso_region = us-gov-west-1
sso_account_id = {{AccountId}}
sso_role_name = {{RoleName}}
region = us-gov-west-1
❯ aws sso login --profile lcg-govcloud
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-gov-west-1.amazonaws.com/
Then enter the code:
KVQL-CXPW
Successfully logged into Start URL: https://start.us-gov-home.awsapps.com/directory/{{DirectoryId}}
❯ aws sts get-caller-identity --profile lcg-govcloud
{
"UserId": "{{UserId}}",
"Account": "{{AccountId}}",
"Arn": "arn:aws-us-gov:sts::{{StsSessionArn}}"
}
❯ aws --version
aws-cli/2.9.21 Python/3.9.11 Linux/5.15.79.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.20 prompt/off
Interesting - your config is essentially the same as mine. I just tried on amd64 linux to make sure mac & aarch64 weren't related, and I get the same behavior.
I don't have access to our org's SSO config. Is it possible that the cli is using the wrong IdP? It's strange that the web ui works fine though
Does it work if you use the official awscli installer instead of brew? I might be a bit concerned about the Python 3.11 packaging there...
https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
No AWS_* in the environment, and no difference with the official distribution - my linux amd64 test was on a fresh debian:bullseye docker container, installed directly from the AWS zip file.
Here is documentation for the StartDeviceAuthorization API. For that error it notes:
InvalidRequestException
Indicates that something is wrong with the input to the request. For example, a required parameter might be missing or out of range.
HTTP Status Code: 400
There are a few suggestions in this Stack Overflow post that may help, although the original post was from a while ago. It's hard to know the problem without knowing the configuration details. I recommend reinstalling the AWS CLI per the link shared above and configuring SSO by following these steps.
@rvandegrift changing the URL from https://start.us-gov-west-1.us-gov-home.awsapps.com/directory/DIR_ID#/ to https://start.us-gov-home.awsapps.com/directory/DIR_ID#/ fixed it for me
@tim-finnigan reinstalling the SDK, cleaning ~/.aws/sso, re-running aws configure sso, and removing # from the sso_start_url did not help. aws configure sso still fails with the same error.
@balusarakesh aha thanks, that worked! I assumed the different domain in @lorengordon's example config had something to do with his AWS SSO config and kept mine.
So the aws cli bug here is that aws configure sso doesn't use a working sso_start_url for govcloud. If it had, I'd have copied what it produced.
Thanks @balusarakesh for catching that and @rvandegrift for confirming the issue. In the Identity Center documentation for Gov Cloud (https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-sso.html#govcloud-diffs) it does note:
The AWS access portal URL has an AWS GovCloud (US) URL pattern of
https://start.us-gov-home.awsapps.com/directory/<IdentityStoreId>orhttps://start.us-gov-home.awsapps.com/directory/<CustomAlias>.
So I think that has to be noted in the AWS configure documentation: https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-prereqs, and maybe the configuration workflow has to handle this differently. I marked this issue for further review.
@rvandegrift where did you get this original start URL?
sso_start_url = https://start.us-gov-west-1.us-gov-home.awsapps.com/directory/d-1234567890#/
I'm wondering where you received that since it contradicts that Identity Center documentation linked above.
That's the url my AWS SSO sends my browser to. I didn't do any of the SSO setup, and my searching didn't turn up the link you posted.
That URL was specified in your profile right? I'm wondering where that came from or how it was generated. Since the Identity Center guide documents the us-gov-home requirement I don't think there's anything required from the AWS CLI side. I don't think there was a bug with the actual aws configure sso workflow, just the misconfigured profile.
I copied the start url from my browser just like I do for standard partition setups. I guess it didn't occur to me that I'd need to track down special setup info for the govcloud version of SSO.
Maybe it's not a bug, but it's certainly a bad user experience. The user needs to know to go through the list of govcloud differences, or else get stuck with a mysterious error. Now partly, that's a GovCloud bad user experience.
But here are some idea to improve that on the awscli side:
- if
sso_regionis a govcloud region, and the start url doesn't match the requirement, exit with a error and a link to the govcloud identity center doc you pasted above. - catch errors in sso process and provide some less generic error messages ("error communicating with AWS SSO, is your start url correct?")
- as you sugessted, update the aws cli docs to call out the special setup required for SSO in govcloud.
Ok thanks for following up and sharing those suggestions. We can continue tracking this as a feature request to improve the documentation and URL validation/error message. If others are similarly affected please 👍 the issue and leave a comment if you have anything to add regarding this.
hiii tim,we are on to it,will be resolved in a while.if having any-other concerns you may get into it after 'hembrew/celler' bug resolution.will get back to you soon.
The logs of the file were in the middle of the exceptional criteria and logging dilogues for which it should be updated for progress in it.