For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
RDS in Datagrip tries to use SSO when the account configured doesn't have SSO
I've been working with AWS for the past couple of months to set up a new Landingzone where we have set up SSO, so while working with this environment I use aws sso login to access that.
Meanwhile, we have an old environment that doesn't use SSO, but just plain IAM users, where we have an RDS instance we have to access manually through datagrip to access certain data.
This account has been configured with a static access_key in the ~/.aws/credentials, and then has a role_arn in ~/.aws/config, this worked fine in DataGrip with the AWS plugin to allow for IAM login to the RDS instance, until I started working on the new Landing zone.
Now I get the following error:
I've tried using aws sso logout but that doesn't seem to help.
Edit:
After further investigation this morning, It's not unique to DataGrip, even with AWS CLI(aws-cli/2.17.27 Python/3.11.9 Darwin/23.6.0 source/arm64) I have the following issue:
Error loading SSO Token: Token for new-lz does not exist.
I've tried clearing the sso cache in .aws/sso/cache and making sure that the profiles are referencing each other correctly. when I run aws configure list the old account profile is the one active:
$ aws configure list
Name Value Type Location
---- ----- ---- --------
profile work env ['AWS_PROFILE', 'AWS_DEFAULT_PROFILE']
This occurs regardless of what profile I have active and action.
- Newest
- Most votes
- Most comments
So, I've identified the issue.
At the bottom of my config my work profile was redefined with sso, this caused the referenced profile in my sub-account profile to be pointing at the new landingzone instead of the old account.
Hello,
The issue arises because DataGrip is attempting to use SSO (Single Sign-On) for connecting to the RDS instance, but SSO is not configured for this account.
To resolve this, follow these steps:
1. Adjust DataGrip Settings: In DataGrip, navigate to the AWS connection settings and ensure that "Use IAM credentials" is selected rather than "Use SSO."
2. Verify IAM Credentials: Confirm that the IAM credentials (access key and secret key) are correctly configured in the ~/.aws/credentials file.
3. Update AWS Configuration: Remove any 'role_arn' settings from the ~/.aws/config file that might be configured for SSO, as they are unnecessary for IAM authentication.
By implementing these changes, DataGrip should use the IAM credentials for connecting to the RDS instance, bypassing the SSO configuration.
Relevant content
- asked 3 years ago
- asked 3 years ago
- asked a year ago
- AWS OFFICIALUpdated 3 months ago
After further investigation this morning, It's not unique to DataGrip, even with AWS CLI(aws-cli/2.17.27 Python/3.11.9 Darwin/23.6.0 source/arm64) I have the following issue:
Error loading SSO Token: Token for new-lz does not exist.I've tried clearing the sso cache in.aws/sso/cacheand making sure that the profiles are referencing each other correctly. when I runaws configure listthe old account profile is the one active: