Get-CAAuthorizationToken is throwing error
Closed this issue · 8 comments
Describe the bug
using powershelltool for some CI scripts since a while
Everything was working fine but suddenly Get-CAAuthorizationToken is showing error
After some investigation look like a breaking change was introduce in version 4.1.165
Error message
Get-CAAuthorizationToken: Value cannot be null. (Parameter 'Options property cannot be empty: ClientName')
Expected Behavior
Considering we are logged in with AWS SSO
We should be able to get the Auth Token without pbm using aws powershel tool
aws sso login
aws codeartifact login --tool dotnet --repository xxxx --domain xxxx --domain-owner xxxxx
Install-Module -Name AWS.Tools.Installer -Force -MaximumVersion 1.0.2.4
Install-AWSToolsModule AWS.Tools.SSO -CleanUp -Force
Install-AWSToolsModule AWS.Tools.SSOOIDC -CleanUp -Force
Install-AWSToolsModule AWS.Tools.CodeArtifact -CleanUp -Force
Import-Module -Name AWS.Tools.SSO, AWS.Tools.SSOOIDC
Get-CAAuthorizationToken -Region us-east-1 -Domain "xxxxx" -DomainOwner "xxxxx" -Select "AuthorizationToken"
It was working before but stop working lately
Current Behavior
to facilitate the repro
i used docker image
aws sso login
aws codeartifact login --tool dotnet --repository xxxx --domain xxxx --domain-owner xxxxx
docker run --rm -it -v C:\Users\xxxxxx/.aws:/root/.aws:ro mcr.microsoft.com/dotnet/core/sdk:3.1 pwsh
Install-Module -Name AWS.Tools.Installer -Force -MaximumVersion 1.0.2.4
Install-AWSToolsModule AWS.Tools.SSO -CleanUp -Force
Install-AWSToolsModule AWS.Tools.SSOOIDC -CleanUp -Force
Install-AWSToolsModule AWS.Tools.CodeArtifact -CleanUp -Force
Import-Module -Name AWS.Tools.SSO, AWS.Tools.SSOOIDC
Get-CAAuthorizationToken -Region us-east-1 -Domain "xxxxx" -DomainOwner "xxxxx" -Select "AuthorizationToken"
Giving following error
Get-CAAuthorizationToken: Value cannot be null. (Parameter 'Options property cannot be empty: ClientName')
Reproduction Steps
Checking with version 4.1.164 is success
Install-Module -Name AWS.Tools.Installer -Force -MaximumVersion 1.0.2.4
Install-AWSToolsModule AWS.Tools.SSO -CleanUp -Force -MaximumVersion 4.1.164
Install-AWSToolsModule AWS.Tools.SSOOIDC -CleanUp -Force -MaximumVersion 4.1.164
Install-AWSToolsModule AWS.Tools.CodeArtifact -CleanUp -Force -MaximumVersion 4.1.164
Import-Module -Name AWS.Tools.SSO, AWS.Tools.SSOOIDC
Get-CAAuthorizationToken -Region us-east-1 -Domain "xxxxx" -DomainOwner "xxxxx" -Select "AuthorizationToken"
Checking with latest is Failed
Install-Module -Name AWS.Tools.Installer -Force -MaximumVersion 1.0.2.4
Install-AWSToolsModule AWS.Tools.SSO -CleanUp -Force
Install-AWSToolsModule AWS.Tools.SSOOIDC -CleanUp -Force
Install-AWSToolsModule AWS.Tools.CodeArtifact -CleanUp -Force
Import-Module -Name AWS.Tools.SSO, AWS.Tools.SSOOIDC
Get-CAAuthorizationToken -Region us-east-1 -Domain "xxxxx" -DomainOwner "xxxxx" -Select "AuthorizationToken"
Possible Solution
No response
Additional Information/Context
No response
AWS Tools for PowerShell version used
AWS.Tools.Installer 1.0.2.4
AWS.Tools.SSO -CleanUp -Force -MaximumVersion 4.1.164 vs latest
AWS.Tools.SSOOIDC -CleanUp -Force -MaximumVersion 4.1.164 vs latest
AWS.Tools.CodeArtifact -CleanUp -Force -MaximumVersion 4.1.164 vs latest
PowerShell version used
Name Value
PSVersion 7.0.12
PSEdition Core
GitCommitId 7.0.12
OS Linux 5.10.102.1-microsoft-standard-WSL2 #1 SMP Wed Mar 2 00:30:59 UTC 2022
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Operating System and version
Windows 10
Based on sample .NET code at Single sign-on (SSO) with the AWS SDK for .NET,
- If using
Generate and use an SSO token programmatically,ClientNameproperty also needs to be set. - If using
AWS CLI and .NET application, then client name need not be explicitly set.
@rjacquemin Please confirm the following:
- If your
defaultcredentials profile is the SSO profile - How does your SSO profile looks like?
- You mentioned the error occurred recently and the logic was working fine earlier. You are asserting that the possible breaking change was introduced in version 4.1.165 which was released a month ago. Is this correct and that you noticed the recurring issue only until recently, and it works fine with version
4.1.164?
Thanks,
Ashish
See an example of the aws sso profile config
[profile default]
sso_start_url = https://xxxxx.awsapps.com/start#/
sso_region = us-east-1
sso_account_id = xxxxxxxxxxxx
sso_role_name = xxxxxxxxxxxxx
region = us-east-1
You mentioned the error occurred recently and the logic was working fine earlier. You are asserting that the possible breaking change was introduced in version 4.1.165 which was released a month ago. Is this correct and that you noticed the recurring issue only until recently, and it works fine with version 4.1.164?
yes I can confirm 4.1.164 is working like before
Hi @rjacquemin,
Good afternoon.
If we follow the steps properly, the issue is not reproducible in the latest AWS Tools for PowerShell version. The issue occurs if aws sso login command is not executed before calling Get-CAAuthorizationToken. For testing, I did not use the said Docker image, instead I tested it locally. Here is the screenshot:
- Executed
Get-CAAuthorizationTokenwithout executingaws sso login. Got the said error reported by you. - Then executed
aws sso loginand approved the login in the web browser. - Re-executed
Get-CAAuthorizationToken. It ran successfully.
Few points to notice:
- You are running the
Get-CAAuthorizationTokenin the said docker image. Do you have AWS CLI installed in the docker image and executedaws sso loginin your image? - You may also install
AWS.Tools.SecurityTokenand executeGet-STSCallerIdentityto verify if you are actually logged in to your SSO profile and caller identity of the credentials.
Thanks,
Ashish
This issue has not received a response in 5 days. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.
You are running the Get-CAAuthorizationToken in the said docker image. Do you have AWS CLI installed in the docker image and executed aws sso login in your image?
yes we are installing AWS CLI on the docker image
we are doing sso login on the host machine then mount the credentials volume on the docker
so the docker have access to the sso credentials
aws sso login
aws codeartifact login --tool dotnet --repository xxxx --domain xxxx --domain-owner xxxxx
docker run --rm -it -v C:\Users\xxxxxx/.aws:/root/.aws:ro mcr.microsoft.com/dotnet/core/sdk:3.1 pwsh
Install-Module -Name AWS.Tools.Installer -Force -MaximumVersion 1.0.2.4
Install-AWSToolsModule AWS.Tools.SSO -CleanUp -Force
Install-AWSToolsModule AWS.Tools.SSOOIDC -CleanUp -Force
Install-AWSToolsModule AWS.Tools.CodeArtifact -CleanUp -Force
Import-Module -Name AWS.Tools.SSO, AWS.Tools.SSOOIDC
Get-CAAuthorizationToken -Region us-east-1 -Domain "xxxxx" -DomainOwner "xxxxx" -Select "AuthorizationToken"
But it was working fine before
As mentioned issue started something like a month ago
I was able to repro with version https://www.powershellgallery.com/packages/AWS.Tools.CodeArtifact/4.1.165
You may also install AWS.Tools.SecurityToken and execute Get-STSCallerIdentity to verify if you are actually logged in to your SSO profile and caller identity of the credentials.
will check those maybe can give us more info
If using AWS CLI and .NET application, then client name need not be explicitly set.
what is the ClientName parameter and what should be
checking the official doc
https://docs.aws.amazon.com/powershell/latest/reference/items/Get-CAAuthorizationToken.html
we are talking about ClientConfig ?
@rjacquemin ClientName is set internally after while successful SSO credentials resolution. It's not related to ClientConfig. I'm still unsure on how you would be able to simply mount the credentials volume in docker and make it work. Were you able to get the result of Get-STSCallerIdentity inside docker image?
Thanks,
Ashish
see no pbm using 4.1.164
see with latest packages
