Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SSO functionality in get_credentials in current botocore #1988

Closed
dytoto opened this issue Feb 27, 2020 · 12 comments
Closed

Support SSO functionality in get_credentials in current botocore #1988

dytoto opened this issue Feb 27, 2020 · 12 comments
Assignees
@swetashre
Labels
closing-soon feature-request This issue requests a feature.

Comments

@dytoto
Copy link

dytoto commented Feb 27, 2020

Can you guys update the current botocore v1 version with the new sso credential provider that was created in botocore v2. This will let people programmatically access SSO credentials they set up from the command line. Thanks :)
@swetashre swetashre self-assigned this Feb 27, 2020
@swetashre
Copy link
Contributor

@dytoto - Thank you for your post. Marking this as a feature request.

@swetashre swetashre added the feature-request This issue requests a feature. label Feb 27, 2020
@jimmone
Copy link

jimmone commented Mar 24, 2020

Any updates on this?

@jl-dos jl-dos mentioned this issue Mar 27, 2020
Closed
@alicancakil
Copy link

We really need this :(

@benkehoe
Copy link

I pulled the SSO credential support from botocore v2 and the CLI into a credential_process helper, so by adding one line to your SSO-configured profile in .aws/config, it'll work with any SDK that supports credential_process: aws-sso-credential-process

Hopefully very soon the functionality in botocore v2 will get pulled in botocore v1, and all the other SDK languages, but until then I find this to be a minimally intrusive workaround.

@benkehoe
Copy link

benkehoe commented Jul 3, 2020

@joguSD this is shipped, right? At least as of 1.17.16

@yardensachs
Copy link

Still getting botocore.exceptions.NoCredentialsError: Unable to locate credentials

@anothermountaingirl
Copy link

works for me today! I needed to make two changes:

  1. pip install aws-sso-credential-process
  2. add this to my config file (which i generate) credential_process = aws-sso-credential-process --profile my-sso-profile

thanks!

@benkehoe
Copy link

benkehoe commented Jul 7, 2020
edited
Loading

@annbrady You should be able to use boto3 without aws-sso-credential-process now. With boto3 1.14.0/botocore 1.17.0, it knows how to load credentials that are cached when you run aws sso login. But that means the user has to have signed in using the CLI for it to work. You can still use aws-sso-credential-process to enable your Python scripts to dispatch the user to the browser to sign in (and to make SDKs in other languages work).

@anothermountaingirl
Copy link

@annbrady You should be able to use boto3 without aws-sso-credential-process now. With boto3 1.14.0/botocore 1.17.0, it knows how to load credentials that are cached when you run aws sso login. But that means the user has to have signed in using the CLI for it to work. You can still use aws-sso-credential-process to enable your Python scripts to dispatch the user to the browser to sign in (and to make SDKs in other languages work).

Guess I'm doing something wrong then...

...
Successfully installed boto3-1.14.17
...

aws sso login --profile NAME
...
Successully logged into Start URL: https://d-ID.awsapps.com/start/

python
Python 3.8.1 (tags/v3.8.1:1b293b6, Dec 18 2019, 22:39:24) [MSC v.1916 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.

import boto3
import jmespath
region = 'us-east-1'
ec2 = boto3.client('ec2', region_name=region)
ec2.describe_instances()
Traceback (most recent call last):
File "", line 1, in
File "C:\Users\annbrady\AppData\Local\Programs\Python\Python38-32\lib\site-packages\botocore\client.py", line 316, in _api_call
return self._make_api_call(operation_name, kwargs)
File "C:\Users\annbrady\AppData\Local\Programs\Python\Python38-32\lib\site-packages\botocore\client.py", line 621, in _make_api_call
http, parsed_response = self._make_request(
File "C:\Users\annbrady\AppData\Local\Programs\Python\Python38-32\lib\site-packages\botocore\client.py", line 641, in _make_request
return self._endpoint.make_request(operation_model, request_dict)
File "C:\Users\annbrady\AppData\Local\Programs\Python\Python38-32\lib\site-packages\botocore\endpoint.py", line 102, in make_request
return self._send_request(request_dict, operation_model)
File "C:\Users\annbrady\AppData\Local\Programs\Python\Python38-32\lib\site-packages\botocore\endpoint.py", line 132, in _send_request
request = self.create_request(request_dict, operation_model)
File "C:\Users\annbrady\AppData\Local\Programs\Python\Python38-32\lib\site-packages\botocore\endpoint.py", line 115, in create_request
self._event_emitter.emit(event_name, request=request,
File "C:\Users\annbrady\AppData\Local\Programs\Python\Python38-32\lib\site-packages\botocore\hooks.py", line 356, in emit
return self._emitter.emit(aliased_event_name, **kwargs)
File "C:\Users\annbrady\AppData\Local\Programs\Python\Python38-32\lib\site-packages\botocore\hooks.py", line 228, in emit
return self._emit(event_name, kwargs)
File "C:\Users\annbrady\AppData\Local\Programs\Python\Python38-32\lib\site-packages\botocore\hooks.py", line 211, in _emit
response = handler(**kwargs)
File "C:\Users\annbrady\AppData\Local\Programs\Python\Python38-32\lib\site-packages\botocore\signers.py", line 90, in handler
return self.sign(operation_name, request)
File "C:\Users\annbrady\AppData\Local\Programs\Python\Python38-32\lib\site-packages\botocore\signers.py", line 160, in sign
auth.add_auth(request)
File "C:\Users\annbrady\AppData\Local\Programs\Python\Python38-32\lib\site-packages\botocore\auth.py", line 357, in add_auth
raise NoCredentialsError
botocore.exceptions.NoCredentialsError: Unable to locate credentials

@benkehoe
Copy link

benkehoe commented Jul 7, 2020
edited
Loading

You've logged in to profile NAME but aren't providing it in Python. What if you change the code to ec2 = boto3.Session(profile_name='NAME').client('ec2', region_name=region)? (it would also apply if you've done export AWS_PROFILE=NAME before loading python)

@anothermountaingirl
Copy link

You've logged in to profile NAME but aren't providing it in Python. What if you change the code to ec2 = boto3.Session(profile_name='NAME').client('ec2', region_name=region)? (it would also apply if you've done export AWS_PROFILE=NAME before loading python)

that was it, thank you!

@swetashre
Copy link
Contributor

With the merging of this PR #2070 SSO functionality is now supported in current botocore. Please let us know if anyone has any concerns.

@dytoto dytoto closed this as completed Jul 9, 2020
@iainelder iainelder mentioned this issue Apr 12, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@swetashre swetashre

Labels
closing-soon feature-request This issue requests a feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@anothermountaingirl @benkehoe @yardensachs @alicancakil @jimmone @swetashre @dytoto