Steampipe doesn't, but now can, support AWS SSO / Identity Center credentials

[neh]

Describe the bug
Steampipe doesn't support sso-session settings in AWS config files. AWS Docs here, More background: aws/aws-cli#7364

Steampipe version (steampipe -v)
v0.20.9

To reproduce
Configure aws cli as documented above. Steampipe will have an error like:

 ERROR:  rpc error: code = Unknown desc = operation error Route 53: ListHostedZones, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, operation error SSO: GetRoleCredentials, https response error StatusCode: 400, RequestID: 18524593-c0ec-4cab-8fd3-ee37ace064a5, InvalidRequestException: RoleName must be supplied in the queryString params

Expected behavior
Steampipe should be able to access AWS APIs and return data.

Additional context
The support was recently added to the SDK in version 1.44.298: aws/aws-sdk-go#4904

[binaek]

Moving to aws plugin repository since it is relevant there

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[rajlearner17]

@neh, Sincere apology for the long silence on it. Is this still an issue for you, or were you able to resolve this?

We can configure the SSO profile in Steampipe for multiple accounts and query the same. Did I miss interpreting any key points from the provided info? Can you please elaborate more?

Please share your sample aws.spc & .aws/config files after obfuscating sensitive info from them. This will help to reproduce. Have you looked into this https://hub.steampipe.io/plugins/turbot/aws#aws-sso-credentials?

[neh]

Thanks for checking in, @rajlearner17. This doesn't look to be resolved yet, no. It will require an AWS SDK update, as mentioned in my original message. Once updated, this will allow usage of sso-session configurations supported by the newer AWS CLI/SDK (also linked in my first message).

[bigdatasourav]

Hey @neh, I was not able to reproduce the above; I have followed the below steps -

1. Here is my config file - Configured SSO with sso_session

[profile sso-test]
sso_session = test-sso
sso_account_id = 2608******12
sso_role_name = SSO-Admin
region = us-east-1
[sso-session test-sso]
sso_start_url = https://d-9a********42.awsapps.com/start#
sso_region = us-east-2
sso_registration_scopes = sso:account:access

2. Here is my aws.spc file -

connection "aws" {
profile = "sso-test"
regions = ["*"]
plugin    = "aws"            
}

3. CLI output -

➜  steampipe ✗ aws s3 ls --profile sso-test
2022-07-25 15:29:25 aws-cloudtrail-logs-260848204312-ad80af06
2023-08-28 17:34:08 cf-templates-4rtkbeftz71s-ap-south-1
2022-07-12 00:07:24 elasticbeanstalk-us-east-1-260848204312
2023-01-31 16:25:35 elasticbeanstalk-us-east-2-260848204312
2023-09-26 17:06:08 raj-docker-test
2023-06-29 18:06:13 steampipe-expected-tag-alarm-pc
2023-06-29 18:19:36 steampipe-other-tags-test-pc
2023-06-29 17:33:48 steampipe-tag-test-pc

4. Steampipe query output -

> select organization_id, arn, organization_feature_set from aws_account
+-----------------+------------------------+--------------------------+
| organization_id | arn                    | organization_feature_set |
+-----------------+------------------------+--------------------------+
| o-c3a243000241       | arn:aws:::2608400082         |  ALL                      |
+-----------------+------------------------+--------------------------+

Please let me know if I missed anything.

[neh]

Interesting. I haven't had a chance to retest again yet, but I had assumed that it wouldn't work without AWS SDK version 1.44.298, and didn't work for me at the time of my last update (after updating steampipe and the plugins, of course). I'll test again as soon as I can though.

[bigdatasourav]

@neh, We are closing this issue as we have not heard from you. Please feel free to reopen the issue if you want to share or discuss anything.