Failed to assume role after logging in SSO - amazon-web-services

The UI path works for me. So let me walk you through this first.
log in with SSO URL
Choose the account from SSO and AWS Console opens
Assume another role
Open s3 and it works
Now I tried to do the same thing with CLI
log in with SSO
Copy access_key, secret_key, session_token from SSO page
Run export for access_key, secret_key, session_token in CLI
Run aws s3 ls to test but didn't work (no problem)
Run aws sts assume-role but didn't work
$ aws sts assume-role --role-arn "arn:aws:iam::123456789:role/SomeRole" --role-session-name AWSCLI-Session --region ap-southeast-2
=> An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::123456789:assumed-role/AWSReservedSSO_some_role_assume_all_123abc/myid#some.domain is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789:role/SomeRole

I have found the answer. For the second part in my question, step 1 and 2 are wrong.
First you need to run
aws configure sso
This will run some magic and set up a profile under ~/.aws/config
Then you need to run aws sts assume-role with the flag --profile and the value is the newly created profile.
Then it will work.

Related

Unable to locate authorization token when calling codecatalyst from AWS CLI

When I try to use the AWS CLI to run commands for the new AWS CodeCatalyst service, the command hangs for a bit and I keep getting the same error: Unable to locate authorization token
I verified that my AWS profile/credentials are pointing to the AWS account that I linked when I signed up for CodeCatalyst.
% aws --profile dev-admin s3 ls
2020-06-03 06:44:13 bucket1
2022-10-31 16:45:08 bucket2
% aws --profile dev-admin codecatalyst list-access-tokens
Unable to locate authorization token
What am I doing wrong?
You can't use your normal AWS credentials when running AWS CLI commands for codecatalyst because CodeCatalyst uses our AWS Builder ID as your user to authenticate and you need a special profile for that.
To get this working, add the following to your ~/.aws/config file to create a profile (calling it codecatalyst in this example):
[profile codecatalyst]
region = us-west-2
sso_session = codecatalyst
[sso-session codecatalyst]
sso_region = us-east-1
sso_start_url = https://view.awsapps.com/start
sso_registration_scopes = codecatalyst:read_write
Then you can run the login command to login and get your credentials setup in the CLI. It will redirect you to a browser window where you need to login with your AWS Builder ID that you used to sign up with CodeCatalyst.
% aws sso login --profile codecatalyst
After this, you can successfully run CodeCatalyst CLI commands using your new profile:
% aws codecatalyst list-access-tokens --profile codecatalyst
{
"items": [
...
]
}
Reference:
Code Catalyst CLI Setup Guide

How to source AWS credentials profile from .aws/credentials for aws cli

I have the following programmatic access credentials for AWS in my .aws/credentials file.
how to specify which credentials to use for AWS cli commands? and verify which credentials are being used?
To verify:
AWS_PROFILE=amplify aws sts get-caller-identity
# OR
aws sts get-caller-identity --profile amplify
The same to run commands:
AWS_PROFILE=default aws eks --region .......
# OR
aws eks --region ....... --profile default

use aws-vault to push docker image to ECR failed

I am trying to push docker image to ECR from my mac. I added identity to aws-vault, but using aws-vault failed to obtain password. My peer has the same privilege and he can login to ECR without problem.
.aws % aws-vault list
Profile Credentials Sessions
======= =========== ========
identity identity -
.aws % ENCRYPTED_PASSWORD=$(aws-vault exec identity -- aws ecr get-login-password --region us-west-2)
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::97xxxxxxxxxx:user/xxxxx.xxxxxx#xxxxxxxxx.com is not authorized to perform: ecr:GetAuthorizationToken on resource: * with an explicit deny in an identity-based policy
We are using the same role. I intend to execute the following line once ENCRYPTED_PASSWORD is obtained--
aws-vault exec identity -- aws ecr --region us-west-2 | docker login -u AWS -p ${ENCRYPTED_PASSWORD} xxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com/my-ecr
My .aws/config has this line refer to the above.
[profile identity]
Since my teammate has the same policy/permission, I don't see "GetAuthorizationToken" as an issue. What else? I'm trying to find a way to push my docker images from Mac to the ECR.
Completely redo the config, linked all roles to identity.
[profile xx-xxxx-services-monitoring]
role_arn=arn:aws:iam::xxxxxxxxxxxx:role/XXMonitoring
source_profile=identity
sparent_profile=mfa
[profile identity]
Now is the token issue-- I entered the code from MFA Authenticator but failed
.aws % aws-vault exec xx-xxxx-main-admin -- aws ecr get-login --region us-west-2
Warning: parent_profile is deprecated, please use include_profile instead in your AWS config
Enter token for arn:aws:iam::xxxxxxxxxxxx:mfa/xxxxxx.xxxx#xxxxxx.com: **125492**
aws-vault: error: exec: Failed to get credentials for xx-xxxx-main-admin: AccessDenied: MultiFactorAuthentication failed, unable to validate MFA code. Please verify your MFA serial number is valid and associated with this user.
status code: 403, request id: 25808115-d9fa-480d-87d4-xxxxxxxxxxxxx
Doesn't look like the token is valid from Authenticator MFA
first aws-vault "GetAuthorizationToken" was caused by an unhealthy, ilformatted ~/.aws/config file. Roles must be specified with the following format--
[profile xx-xxxx-services-monitoring]
role_arn=arn:aws:iam::xxxxxxxxxxxx:role/XXMonitoring
source_profile=identity
sparent_profile=mfa
[profile identity]
Second part is MFA issue. MFA serial number must match what you configured in your authenticator. (DUO, Authy, Authenticator...) Your ~/.aws/config should have this section--
[profile mfa]
mfa_serial=arn:aws:iam::xxxxxxxxxxxx:mfa/xxxxx.xxxx#xxxxx.com

AWS SSO and CodeArtifact Login requires manual config file changes for Region

When I run
AWS SSO Login --Profile Default
on my machine if my .aws/config file is not set to a Default region of us-east-1 I get "Invalid Grant" When the Browser opens to authenticate. When I set the config region to us-west-2 I can authenticate.
Issue is I then need to login to CodeArtifact and if I do not change the config file to us-west-2 I get:
An error occurred (ResourceNotFoundException) when calling the GetAuthorizationToken operation: Domain not found. Domain 'MY-domain' owned by account '1234567890' does not exist.
I need to be able to login to CodeArtifact inside of a docker container and manually changing the region is not an option there. Please advise. Thank you!
AWS CLI has global parameters you can use to pass the region when calling get-authorization-token.
aws codeartifact get-authorization-token --domain MY-domain --region us-west-2

InvalidClientTokenId when calling get-caller-identity on an AWS EC2 instance with instance profile

We're having an issue where we're on a CentOS EC2 instance that is using a role through an attached instance profile. When we're on the console after SSHing in, we run the python awscli command line tool to get our identity:
$ aws sts get-caller-identity
we're getting
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid
other commands, such as aws ec2 describe-instances work and are allowed by the instance profile.
From reading the AWS documentation, no permissions should be required to get-caller-identity and there's no explicit deny set on the role associated with instance.
We checked and there's no .aws/credentials file and no env variables set, so access should be entirely managed through the metadata service on the EC2 instance.
Is there something missing in our setup or invocation of the awscli that might cause the permission to fail?
Just documenting the fix for anyone that runs into this issue.
All calls to the awscli should probably include a --region <region> parameter.
E.g.
$ aws sts get-caller-identity --region us-east-2
We were prompted for the region on our aws ec2 describe-instances call but on the aws sts get-caller-identity call, it just failed.
Additionally, we found that the AWS_REGION environment variable didn't seem to affect calls: we still needed to include the --region <region> parameter.