Unable to locate authorization token when calling codecatalyst from AWS CLI - amazon-web-services

When I try to use the AWS CLI to run commands for the new AWS CodeCatalyst service, the command hangs for a bit and I keep getting the same error: Unable to locate authorization token
I verified that my AWS profile/credentials are pointing to the AWS account that I linked when I signed up for CodeCatalyst.
% aws --profile dev-admin s3 ls
2020-06-03 06:44:13 bucket1
2022-10-31 16:45:08 bucket2
% aws --profile dev-admin codecatalyst list-access-tokens
Unable to locate authorization token
What am I doing wrong?

You can't use your normal AWS credentials when running AWS CLI commands for codecatalyst because CodeCatalyst uses our AWS Builder ID as your user to authenticate and you need a special profile for that.
To get this working, add the following to your ~/.aws/config file to create a profile (calling it codecatalyst in this example):
[profile codecatalyst]
region = us-west-2
sso_session = codecatalyst
[sso-session codecatalyst]
sso_region = us-east-1
sso_start_url = https://view.awsapps.com/start
sso_registration_scopes = codecatalyst:read_write
Then you can run the login command to login and get your credentials setup in the CLI. It will redirect you to a browser window where you need to login with your AWS Builder ID that you used to sign up with CodeCatalyst.
% aws sso login --profile codecatalyst
After this, you can successfully run CodeCatalyst CLI commands using your new profile:
% aws codecatalyst list-access-tokens --profile codecatalyst
{
"items": [
...
]
}
Reference:
Code Catalyst CLI Setup Guide

Related

EB CLI with and AWS CLI doesn't recognize SSO sso_start_url and sso_region configuration

I installed EB CLI following these instructions.
To use it, I configured AWS CLI for SSO following these instructions.
This creates a config file in ~/.aws/config with these contents:
[profile <profile_name>]
sso_session = <session_name>
sso_account_id = <account_no>
sso_role_name = <role_name>
region = <region>
output = json
[sso-session <session_name>]
sso_start_url = <start_url>
sso_region = <region>
sso_registration_scopes = <scopes>
All the values seem to be correct.
Once configured, I can login using SSO using:
aws sso login --profile <profile_name>
This redirects me to the SSO <start_url> and I get the confirmation for login:
Successfully logged into Start URL: <start_url>
EB CLI is supposed to be able to login using the authentication methods set with AWS CLI. I am trying to do so with:
eb init --profile <profile_name>
However, after selecting the region, I get this error:
ERROR: InvalidConfigError - The profile "<profile_name>" is configured to use SSO but is missing required configuration: sso_start_url, sso_region
I am not sure what I am missing as the ~/.aws/config file seems to be properly set with the sso_start_url and sso_region I specified in the AWS CLI configuration.
Is there any other intermediate step to get EB CLI working with SSO?

Failed to assume role after logging in SSO

The UI path works for me. So let me walk you through this first.
log in with SSO URL
Choose the account from SSO and AWS Console opens
Assume another role
Open s3 and it works
Now I tried to do the same thing with CLI
log in with SSO
Copy access_key, secret_key, session_token from SSO page
Run export for access_key, secret_key, session_token in CLI
Run aws s3 ls to test but didn't work (no problem)
Run aws sts assume-role but didn't work
$ aws sts assume-role --role-arn "arn:aws:iam::123456789:role/SomeRole" --role-session-name AWSCLI-Session --region ap-southeast-2
=> An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::123456789:assumed-role/AWSReservedSSO_some_role_assume_all_123abc/myid#some.domain is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789:role/SomeRole
I have found the answer. For the second part in my question, step 1 and 2 are wrong.
First you need to run
aws configure sso
This will run some magic and set up a profile under ~/.aws/config
Then you need to run aws sts assume-role with the flag --profile and the value is the newly created profile.
Then it will work.

Empty result from aws configure get aws_access_key_id

I currently have an AWS cli profile set up that I can query using the below powershell command:
aws configure list --profile <ProfileName>
This returns the expected info about profile name, access_key and so on.
However, when trying to get just the access key, I get nothing back. The command I am running is aws configure get aws_access_key_id --profile <ProfileName>
What could be the cause of this?
aws iam list-access-keys
Try to use this command. It should work.

Cannot run AWS CLI from windows command prompt

I am trying to run basic aws cli commands from my terminal( I am using windows command prompt).
aws iam list-users
result:
Could not connect to the endpoint URL: "https://iam.amazonaws.com/"
aws s3 ls
result:
Could not connect to the endpoint URL: "https://s3.eu-central-1.amazonaws.com/"
The aws config file is as below:
$ cat config
[default]
region = eu-central-1
output = json
The aws credentials file is as below:
$ cat credentials
[default]
aws_access_key_id = AKI***************N
aws_secret_access_key = Uu********************************se
My system is sitting behind a company proxy. What should i do to get aws cli working?

AWS Lambda Serverless deploy asking for AWS provider credentials

I have configured serverless with key and secret.
When i try to run serverless deploy it says:
ServerlessError: AWS provider credentials not found. Learn how to set up AWS provider credentials in our docs here:.
Please help me what to do
This is how to setup AWS credentials on the local:
Sign in to AWS console
Go to your AWS account overview
Account menu in the upper-right (has your name on it)
sub-menu: Security Credentials
Copy <Access Key ID>
Copy <Secret Access Key>
Run on local serverless config credentials --provider aws --key <Access Key ID> --secret <Secret Access Key>
You can set up your serverless credentials by using the serverless config credentials command, with --provider aws and using --key and --secret to set your AWS Access Key ID and Secret Access Key, respectively.
See the Serverless AWS - Config Credentials documentation for Serverless specifics, and this AWS document on security credentials in case you need to figure out what your credentials are.
Also give your profile and region configuration in your yml file
provider:
name: aws
runtime: python2.7
lambdaHashingVersion: 20201221
profile: 'serverless-admin'
region: 'us-east-1'
I had the same problem. I try everything. I configure my credentials (AWS key and secret) with both aws cli and serverless cli but still got that same error when I run:
sls deploy -v
I was using CMD before then I realize something when I run the command
aws configure list
the output is
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ****************SOU5 shared-credentials-file
secret_key ****************Cki5 shared-credentials-file
region eu-west-1 config-file ~/.aws/config
the path of the config file is
~/.aws/config
and CMD don't know what ~/ PATH IS but Bash does know
😈
then I run the
sls deploy -v
on bash terminal and it worked 🎉🙌🙌🎉🐱‍🏍
For those who has the same problem, even when already configured the AWS credentials for serverless, by running the command serverless config credentials:
I had the same problem; even when I had set up properly my AWS credentials on serverless, when I run the serverless deploy command, I got this: ServerlessError: AWS provider credentials not found.
How did I solved it? By installing and configuring the AWS CLI Tool. Once I installed it and configured it with my AWS credentials, and then run again the serverless deploy command, it just works fine.
I guess the serverless command, behind the scenes, uses the AWS CLI to access AWS and provision the AWS resources.
I hope this could be helpful for someone.