Greengrass installer not working with AWS SSO Profile
Closed this issue · 1 comments
Sourish1997 commented
Describe the bug
The Greengrass nucleus installer is unable to load AWS credentials when using AWS SSO profiles.
To Reproduce
- Create a default profile in
~/.aws/configand obtain temporary credentials usingaws sso login. - Download and run the Greengrass core installer as per the instructions here
curl -s https://d2s8p88vqu9w66.cloudfront.net/releases/greengrass-nucleus-latest.zip \
> greengrass-nucleus-latest.zip && unzip greengrass-nucleus-latest.zip -d GreengrassInstaller
sudo -E java -Droot="/greengrass/v2" -Dlog.store=FILE -jar ./GreengrassInstaller/lib/Greengrass.jar \
--aws-region us-east-1 \
--thing-name "$ROBOT_ID" \
--thing-group-name "$THING_GROUP_NAME" \
--tes-role-name "$TES_ROLE_NAME" \
--tes-role-alias-name "$TES_ROLE_ALIAS_NAME" \
--provision true \
--setup-system-service true \
Expected behavior
The Greengrass core software is successfully installed on the device.
Actual behavior
The installer is unable to load AWS credentials. I get the following error:
Error while trying to setup Greengrass Nucleus
software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(), EnvironmentVariableCredentialsProvider(), WebIdentityTokenCredentialsProvider(), ProfileCredentialsProvider(profileName=ProfileDev, profileFile=ProfileFile(profilesAndSectionsMap=[{default=Profile(name=default, properties=[sso_session, output, sso_role_name, region, sso_account_id]), ProfileDev=Profile(name=ProfileDev, properties=[sso_session, output, sso_role_name, region, sso_account_id]), ProfileProd=Profile(name=ProfileProd, properties=[sso_session, output, sso_role_name, region, sso_account_id])}, {my-sso=Profile(name=my-sso, properties=[sso_region, sso_start_url, sso_registration_scopes])}])), ContainerCredentialsProvider(), InstanceProfileCredentialsProvider()]) : [SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., EnvironmentVariableCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., WebIdentityTokenCredentialsProvider(): Either the environment variable AWS_WEB_IDENTITY_TOKEN_FILE or the javaproperty aws.webIdentityTokenFile must be set., ProfileCredentialsProvider(profileName=ProfileDev, profileFile=ProfileFile(profilesAndSectionsMap=[{default=Profile(name=default, properties=[sso_session, output, sso_role_name, region, sso_account_id]), ProfileDev=Profile(name=ProfileDev, properties=[sso_session, output, sso_role_name, region, sso_account_id]), ProfileProd=Profile(name=ProfileProd, properties=[sso_session, output, sso_role_name, region, sso_account_id])}, {my-sso=Profile(name=my-sso, properties=[sso_region, sso_start_url, sso_registration_scopes])}])): To use Sso related properties in the 'ProfileDev' profile, the 'sso' service module must be on the class path., ContainerCredentialsProvider(): Cannot fetch credentials from container - neither AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set., InstanceProfileCredentialsProvider(): Failed to load credentials from IMDS.]
at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:111)
at software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain.resolveCredentials(AwsCredentialsProviderChain.java:117)
at software.amazon.awssdk.auth.credentials.internal.LazyAwsCredentialsProvider.resolveCredentials(LazyAwsCredentialsProvider.java:45)
at software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider.resolveCredentials(DefaultCredentialsProvider.java:128)
at software.amazon.awssdk.core.internal.util.MetricUtils.measureDuration(MetricUtils.java:54)
at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.resolveCredentials(AwsCredentialsAuthorizationStrategy.java:100)
at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.addCredentialsToExecutionAttributes(AwsCredentialsAuthorizationStrategy.java:77)
at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.invokeInterceptorsAndCreateExecutionContext(AwsExecutionContextBuilder.java:125)
at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.invokeInterceptorsAndCreateExecutionContext(AwsSyncClientHandler.java:69)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:78)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:179)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:76)
at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45)
at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:56)
at software.amazon.awssdk.services.iot.DefaultIotClient.getPolicy(DefaultIotClient.java:9158)
at com.aws.greengrass.easysetup.DeviceProvisioningHelper.createThing(DeviceProvisioningHelper.java:205)
at com.aws.greengrass.easysetup.GreengrassSetup.provision(GreengrassSetup.java:514)
at com.aws.greengrass.easysetup.GreengrassSetup.performSetup(GreengrassSetup.java:325)
at com.aws.greengrass.easysetup.GreengrassSetup.main(GreengrassSetup.java:274)
Environment
- OS: Ubuntu 20.04.6
- JDK version: 11.0.22
- Nucleus version: 2.12.2
Additional context
This looks like a case where the installer is using an AWS SDK version that does not support SSO login. Would it be possible to update the dependencies to allow this use case? The developer guide points to "Manual credential refresh in Getting and refreshing temporary credentials in the IAM Identity Center user guide." as a recommended way to obtain temporary credentials for the Greengrass installer, which seems to imply that SSO login should be supported.
jcosentino11 commented
Thanks for reporting!
For visibility here's the original rePost: https://repost.aws/zh-Hant/questions/QUSlf-efzmTnCWgy0zSp3erg/greengrass-installer-not-working-with-aws-sso-profile. For others interested, there are a few workarounds mentioned here.
We would prefer to not add more dependencies to Nucleus to support this, since installation is a one-off operation, and there are ways to use sso as linked above.