Greengrass Installer not working with AWS SSO Profile

0

I found that the Greengrass installer is unable to load credentials when I'm using an AWS SSO profile. I'm trying the commands below from this link:

curl -s https://d2s8p88vqu9w66.cloudfront.net/releases/greengrass-nucleus-latest.zip \
> greengrass-nucleus-latest.zip && unzip greengrass-nucleus-latest.zip -d GreengrassInstaller

sudo -E java -Droot="/greengrass/v2" -Dlog.store=FILE -jar ./GreengrassInstaller/lib/Greengrass.jar \
    --aws-region us-east-1 \
    --thing-name "$ROBOT_ID" \
    --thing-group-name "$THING_GROUP_NAME" \
    --tes-role-name "$TES_ROLE_NAME" \
    --tes-role-alias-name "$TES_ROLE_ALIAS_NAME" \
    --provision true \
    --setup-system-service true \

This works fine when I have temporary credentials in environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN). But if I have a default sso profile set up in my ~/.aws/config file and I obtain temporary credentials for the profile using aws sso login, the installer is unable to load the credentials. I get the following error:

Error while trying to setup Greengrass Nucleus
software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(), EnvironmentVariableCredentialsProvider(), WebIdentityTokenCredentialsProvider(), ProfileCredentialsProvider(profileName=ProfileDev, profileFile=ProfileFile(profilesAndSectionsMap=[{default=Profile(name=default, properties=[sso_session, output, sso_role_name, region, sso_account_id]), ProfileDev=Profile(name=ProfileDev, properties=[sso_session, output, sso_role_name, region, sso_account_id]), ProfileProd=Profile(name=ProfileProd, properties=[sso_session, output, sso_role_name, region, sso_account_id])}, {my-sso=Profile(name=my-sso, properties=[sso_region, sso_start_url, sso_registration_scopes])}])), ContainerCredentialsProvider(), InstanceProfileCredentialsProvider()]) : [SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., EnvironmentVariableCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., WebIdentityTokenCredentialsProvider(): Either the environment variable AWS_WEB_IDENTITY_TOKEN_FILE or the javaproperty aws.webIdentityTokenFile must be set., ProfileCredentialsProvider(profileName=ProfileDev, profileFile=ProfileFile(profilesAndSectionsMap=[{default=Profile(name=default, properties=[sso_session, output, sso_role_name, region, sso_account_id]), ProfileDev=Profile(name=ProfileDev, properties=[sso_session, output, sso_role_name, region, sso_account_id]), ProfileProd=Profile(name=ProfileProd, properties=[sso_session, output, sso_role_name, region, sso_account_id])}, {my-sso=Profile(name=my-sso, properties=[sso_region, sso_start_url, sso_registration_scopes])}])): To use Sso related properties in the 'ProfileDev' profile, the 'sso' service module must be on the class path., ContainerCredentialsProvider(): Cannot fetch credentials from container - neither AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set., InstanceProfileCredentialsProvider(): Failed to load credentials from IMDS.]
	at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:111)
	at software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain.resolveCredentials(AwsCredentialsProviderChain.java:117)
	at software.amazon.awssdk.auth.credentials.internal.LazyAwsCredentialsProvider.resolveCredentials(LazyAwsCredentialsProvider.java:45)
	at software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider.resolveCredentials(DefaultCredentialsProvider.java:128)
	at software.amazon.awssdk.core.internal.util.MetricUtils.measureDuration(MetricUtils.java:54)
	at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.resolveCredentials(AwsCredentialsAuthorizationStrategy.java:100)
	at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.addCredentialsToExecutionAttributes(AwsCredentialsAuthorizationStrategy.java:77)
	at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.invokeInterceptorsAndCreateExecutionContext(AwsExecutionContextBuilder.java:125)
	at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.invokeInterceptorsAndCreateExecutionContext(AwsSyncClientHandler.java:69)
	at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:78)
	at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:179)
	at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:76)
	at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45)
	at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:56)
	at software.amazon.awssdk.services.iot.DefaultIotClient.getPolicy(DefaultIotClient.java:9158)
	at com.aws.greengrass.easysetup.DeviceProvisioningHelper.createThing(DeviceProvisioningHelper.java:205)
	at com.aws.greengrass.easysetup.GreengrassSetup.provision(GreengrassSetup.java:514)
	at com.aws.greengrass.easysetup.GreengrassSetup.performSetup(GreengrassSetup.java:325)
	at com.aws.greengrass.easysetup.GreengrassSetup.main(GreengrassSetup.java:274)

I know the temporary credentials are available because aws cli commands work without any issues. Looks like maybe the installer is using an SDK version that doesn't support sso? Is there some way I can make the Greengrass Installer work with this setup? The documentation seems to imply that it should be supported.

1 Answer
1
Accepted Answer

Hello, yes as you just experienced, Greengrass doesn't support SSO credentials.

However, it is possible to work around this:

  1. download the latest Nucleus source (e.g. https://github.com/aws-greengrass/aws-greengrass-nucleus/archive/refs/tags/v2.12.5.zip)
  2. add the following to pom.xml
        <dependency>
            <groupId>software.amazon.awssdk</groupId>
            <artifactId>sso</artifactId>
        </dependency>
        <dependency>
            <groupId>software.amazon.awssdk</groupId>
            <artifactId>ssooidc</artifactId>
        </dependency>
  1. Build with mvn package
  2. There will be a aws.greengrass.nucleus.zip that you can then unzip and run the command in
AWS
answered a month ago
  • Thanks! I opened an issue in the Nucleus repository to see if this support can be built in to the official installer distribution. For anyone who runs into the same issue, I ended up using https://github.com/victorskl/yawsso as a temporary workaround to obtain env variables from sso login. A more suitable workaround for scripting compared to downloading the source, modifying the dependencies, and building for my use case.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions