aws-sdk-java-v2
aws-sdk-java-v2 copied to clipboard
aws
ProfileCredentialsProvider fails if SSO information is in source profile
Describe the bug
- Problem
I have the following profiles in my .aws/config file (generated by a separate tool):
[profile xxxxx-src]
sso_account_id = 1234567890
sso_role_name = xxxxx
sso_session = xxxxx
[profile xxxxx]
source_profile = xxxxx-src
role_arn = arn:aws:iam::1234567890:role/my_nice_role
role_session_name = xxxxx
sso_session = xxxxx
When I try to use this profile in the AWS SDK for Java using the ProfileCredentialsProvider, I get the following error:
Exception in thread "main" java.lang.IllegalArgumentException: Profile property 'sso_account_id' was not configured for 'default'.
at software.amazon.awssdk.utils.Validate.isTrue(Validate.java:76)
at software.amazon.awssdk.auth.credentials.internal.ProfileCredentialsUtils.lambda$requireProperties$1(ProfileCredentialsUtils.java:291)
at java.base/java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:992)
at java.base/java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:762)
at software.amazon.awssdk.auth.credentials.internal.ProfileCredentialsUtils.requireProperties(ProfileCredentialsUtils.java:291)
at software.amazon.awssdk.auth.credentials.internal.ProfileCredentialsUtils.validateRequiredPropertiesForSsoCredentialsProvider(ProfileCredentialsUtils.java:206)
at software.amazon.awssdk.auth.credentials.internal.ProfileCredentialsUtils.ssoProfileCredentialsProvider(ProfileCredentialsUtils.java:197)
at software.amazon.awssdk.auth.credentials.internal.ProfileCredentialsUtils.credentialsProvider(ProfileCredentialsUtils.java:120)
at software.amazon.awssdk.auth.credentials.internal.ProfileCredentialsUtils.credentialsProvider(ProfileCredentialsUtils.java:102)
at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.lambda$createCredentialsProvider$1(ProfileCredentialsProvider.java:169)
at java.base/java.util.Optional.flatMap(Optional.java:289)
at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.createCredentialsProvider(ProfileCredentialsProvider.java:169)
at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.handleProfileFileReload(ProfileCredentialsProvider.java:135)
at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.resolveCredentials(ProfileCredentialsProvider.java:126)
at software.amazon.awssdk.auth.credentials.AwsCredentialsProvider.resolveIdentity(AwsCredentialsProvider.java:54)
at software.amazon.awssdk.services.s3.auth.scheme.internal.S3AuthSchemeInterceptor.lambda$trySelectAuthScheme$6(S3AuthSchemeInterceptor.java:169)
at software.amazon.awssdk.core.internal.util.MetricUtils.reportDuration(MetricUtils.java:80)
at software.amazon.awssdk.services.s3.auth.scheme.internal.S3AuthSchemeInterceptor.trySelectAuthScheme(S3AuthSchemeInterceptor.java:169)
at software.amazon.awssdk.services.s3.auth.scheme.internal.S3AuthSchemeInterceptor.selectAuthScheme(S3AuthSchemeInterceptor.java:87)
at software.amazon.awssdk.services.s3.auth.scheme.internal.S3AuthSchemeInterceptor.beforeExecution(S3AuthSchemeInterceptor.java:67)
at software.amazon.awssdk.core.interceptor.ExecutionInterceptorChain.lambda$beforeExecution$1(ExecutionInterceptorChain.java:59)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
at software.amazon.awssdk.core.interceptor.ExecutionInterceptorChain.beforeExecution(ExecutionInterceptorChain.java:59)
at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.runInitialInterceptors(AwsExecutionContextBuilder.java:255)
at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.invokeInterceptorsAndCreateExecutionContext(AwsExecutionContextBuilder.java:144)
at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.invokeInterceptorsAndCreateExecutionContext(AwsSyncClientHandler.java:67)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:76)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:182)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:74)
at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45)
at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:53)
The SDK does not seem to be looking in the source profile for this information.
Regression Issue
- [ ] Select this option if this issue appears to be a regression.
Expected Behavior
The SDK should look in the source profile for the SSO information.
Current Behavior
The login fails because the SDK does not seem to be looking in the source profile for the SSO information.
Reproduction Steps
ProfileCredentialsProvider.create("xxxxx")
with the following profiles:
[profile xxxxx-src]
sso_account_id = 1234567890
sso_role_name = xxxxx
sso_session = xxxxx
[profile xxxxx]
source_profile = xxxxx-src
role_arn = arn:aws:iam::1234567890:role/my_nice_role
role_session_name = xxxxx
sso_session = xxxxx
Login using aws sso login --sso-session xxxxx
Possible Solution
In the ProfileCredentialsUtils class, and the credentialsProvider(Set<String> children) method, if the source profile check would be moved to the top, this scenario would work fine.
Additional Information/Context
No response
AWS Java SDK version used
2.31.63
JDK version used
17.0.9_8
Operating System and version
Windows 11 Enterprise 23H2
I have encountered this issue as well and came to the same conclusion: source_profile is not honored when using SSO. One work around is to define an extra profile which uses credential_process, e.g.
[profile xxxxx-workaround]
credential_process=aws configure export-credentials --profile=xxxxx
Hi @olovdavidsson,
Thank you for reporting the issue. I am able to reproduce the source_profile issue using below minimal code sample and setup. We'll further investigate the problem and keep you posted.
Main.java
package org.example;
import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.s3.S3Client;
import software.amazon.awssdk.services.s3.model.ListBucketsResponse;
public class Main {
public static void main(String[] args) {
S3Client s3Client = S3Client.builder()
.region(Region.US_EAST_1)
.credentialsProvider(ProfileCredentialsProvider.create("dev-profile"))
.build();
ListBucketsResponse response = s3Client.listBuckets();
System.out.println("Connected to S3. Found " + response.buckets().size() + " buckets.");
s3Client.close();
}
}
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>V2_ProfileCredentialsProviderSSO_6187</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<aws.java.sdk.version>2.32.26</aws.java.sdk.version>
</properties>
<dependencies>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>s3</artifactId>
<version>${aws.java.sdk.version}</version>
</dependency>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>sso</artifactId>
<version>${aws.java.sdk.version}</version>
</dependency>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>ssooidc</artifactId>
<version>${aws.java.sdk.version}</version>
</dependency>
</dependencies>
</project>
~/.aws/config
[profile dev-profile]
source_profile = profile-src
sso_session = dev-session
role_arn = arn:aws:iam::1234567890:role/my_nice_role
role_session_name = xxxxx
[profile profile-src]
sso_account_id = ******
sso_role_name = ******
sso_session = dev-session
[sso-session dev-session]
sso_region = us-east-1
sso_start_url = https://d-*****.awsapps.com/start/#
sso_registration_scopes = sso:account:access
Stack trace
Exception in thread "main" java.lang.IllegalArgumentException: Profile property 'sso_account_id' was not configured for 'dev-profile'.
at software.amazon.awssdk.utils.Validate.isTrue(Validate.java:76)
at software.amazon.awssdk.auth.credentials.internal.ProfileCredentialsUtils.lambda$requireProperties$1(ProfileCredentialsUtils.java:291)
at java.base/java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:992)
at java.base/java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:762)
at software.amazon.awssdk.auth.credentials.internal.ProfileCredentialsUtils.requireProperties(ProfileCredentialsUtils.java:291)
at software.amazon.awssdk.auth.credentials.internal.ProfileCredentialsUtils.validateRequiredPropertiesForSsoCredentialsProvider(ProfileCredentialsUtils.java:206)
at software.amazon.awssdk.auth.credentials.internal.ProfileCredentialsUtils.ssoProfileCredentialsProvider(ProfileCredentialsUtils.java:197)
at software.amazon.awssdk.auth.credentials.internal.ProfileCredentialsUtils.credentialsProvider(ProfileCredentialsUtils.java:120)
at software.amazon.awssdk.auth.credentials.internal.ProfileCredentialsUtils.credentialsProvider(ProfileCredentialsUtils.java:102)
at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.lambda$createCredentialsProvider$1(ProfileCredentialsProvider.java:169)
at java.base/java.util.Optional.flatMap(Optional.java:289)
at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.createCredentialsProvider(ProfileCredentialsProvider.java:169)
at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.handleProfileFileReload(ProfileCredentialsProvider.java:135)
at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.resolveCredentials(ProfileCredentialsProvider.java:126)
at software.amazon.awssdk.auth.credentials.AwsCredentialsProvider.resolveIdentity(AwsCredentialsProvider.java:54)
at software.amazon.awssdk.services.s3.auth.scheme.internal.S3AuthSchemeInterceptor.lambda$trySelectAuthScheme$6(S3AuthSchemeInterceptor.java:169)
at software.amazon.awssdk.core.internal.util.MetricUtils.reportDuration(MetricUtils.java:81)
at software.amazon.awssdk.services.s3.auth.scheme.internal.S3AuthSchemeInterceptor.trySelectAuthScheme(S3AuthSchemeInterceptor.java:169)
at software.amazon.awssdk.services.s3.auth.scheme.internal.S3AuthSchemeInterceptor.selectAuthScheme(S3AuthSchemeInterceptor.java:87)
at software.amazon.awssdk.services.s3.auth.scheme.internal.S3AuthSchemeInterceptor.beforeExecution(S3AuthSchemeInterceptor.java:67)
at software.amazon.awssdk.core.interceptor.ExecutionInterceptorChain.lambda$beforeExecution$1(ExecutionInterceptorChain.java:59)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
at software.amazon.awssdk.core.interceptor.ExecutionInterceptorChain.beforeExecution(ExecutionInterceptorChain.java:59)
at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.runInitialInterceptors(AwsExecutionContextBuilder.java:315)
at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.invokeInterceptorsAndCreateExecutionContext(AwsExecutionContextBuilder.java:151)
at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.invokeInterceptorsAndCreateExecutionContext(AwsSyncClientHandler.java:67)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:76)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:182)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:74)
at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45)
at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:53)
at software.amazon.awssdk.services.s3.DefaultS3Client.listBuckets(DefaultS3Client.java:8076)
at software.amazon.awssdk.services.s3.S3Client.listBuckets(S3Client.java:15126)
at org.example.Main.main(Main.java:15)
Process finished with exit code 1
Regards, Chaitanya
