Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws sso login failed on WSL2 #8516

Closed
andrei-panov opened this issue Jan 31, 2024 · 7 comments
Closed

aws sso login failed on WSL2 #8516

andrei-panov opened this issue Jan 31, 2024 · 7 comments
Assignees
Labels
bug This issue is a bug. credential-provider p2 This is a standard priority issue

Comments

@andrei-panov
Copy link

andrei-panov commented Jan 31, 2024

Describe the bug

I did setup according to documentation https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-auto-sso-session

Expected Behavior

Expected aws sso will authorize me.

Current Behavior

❯ aws sso login --debug --sso-session my-sso
2024-01-31 11:30:40,644 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.15.15 Python/3.11.6 Linux/5.15.133.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.22
2024-01-31 11:30:40,644 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['sso', 'login', '--debug', '--sso-session', 'my-sso']
2024-01-31 11:30:40,651 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_s3 at 0x7f602b112ac0>
2024-01-31 11:30:40,651 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_ddb at 0x7f602b93a980>
2024-01-31 11:30:40,651 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.configure.configure.ConfigureCommand'>>
2024-01-31 11:30:40,652 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x7f602bdb8cc0>
2024-01-31 11:30:40,652 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x7f602bdba340>
2024-01-31 11:30:40,652 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function alias_opsworks_cm at 0x7f602b119580>
2024-01-31 11:30:40,652 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_history_commands at 0x7f602b98d3a0>
2024-01-31 11:30:40,652 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.devcommands.CLIDevCommand'>>
2024-01-31 11:30:40,652 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_waiters at 0x7f602b119440>
2024-01-31 11:30:40,652 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x7f602b1cc850>>
2024-01-31 11:30:40,652 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.15.15/dist/awscli/data/cli.json
2024-01-31 11:30:40,654 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_types at 0x7f602b536de0>
2024-01-31 11:30:40,654 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function no_sign_request at 0x7f602b537100>
2024-01-31 11:30:40,654 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_verify_ssl at 0x7f602b537060>
2024-01-31 11:30:40,654 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_read_timeout at 0x7f602b537240>
2024-01-31 11:30:40,654 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_connect_timeout at 0x7f602b5371a0>
2024-01-31 11:30:40,654 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <built-in method update of dict object at 0x7f602b1c5bc0>
2024-01-31 11:30:40,655 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.15.15 Python/3.11.6 Linux/5.15.133.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.22 prompt/off
2024-01-31 11:30:40,655 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['sso', 'login', '--debug', '--sso-session', 'my-sso']
2024-01-31 11:30:40,655 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x7f602b113420>
2024-01-31 11:30:40,655 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x7f602c12a2a0>
2024-01-31 11:30:40,655 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x7f602b18ed40>
2024-01-31 11:30:40,655 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x7f602c534ae0>
2024-01-31 11:30:40,655 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x7f602c139bc0>
2024-01-31 11:30:40,657 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2024-01-31 11:30:40,658 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x7f602b969c60>
2024-01-31 11:30:40,658 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x7f602b916c00>
2024-01-31 11:30:40,664 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.15.15/dist/awscli/botocore/data/sso/2019-06-10/service-2.json
2024-01-31 11:30:40,664 - MainThread - botocore.hooks - DEBUG - Event building-command-table.sso: calling handler <function add_sso_commands at 0x7f602b915120>
2024-01-31 11:30:40,665 - MainThread - botocore.hooks - DEBUG - Event building-command-table.sso: calling handler <function add_waiters at 0x7f602b119440>
2024-01-31 11:30:40,671 - MainThread - botocore.hooks - DEBUG - Event building-command-table.sso: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x7f602b1cc850>>
2024-01-31 11:30:40,671 - MainThread - botocore.hooks - DEBUG - Event building-command-table.sso_login: calling handler <function add_waiters at 0x7f602b119440>
2024-01-31 11:30:40,671 - MainThread - botocore.hooks - DEBUG - Event building-command-table.sso_login: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x7f602b1cc850>>
2024-01-31 11:30:40,672 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.login.no-browser: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f602b1cd610>
2024-01-31 11:30:40,672 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.login: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f602c555950>
2024-01-31 11:30:40,672 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.login.sso-session: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f602b1cd610>
2024-01-31 11:30:40,672 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.login: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f602c555950>
2024-01-31 11:30:40,673 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.15.15/dist/awscli/botocore/data/endpoints.json
2024-01-31 11:30:40,684 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x7f602e9760c0>
2024-01-31 11:30:40,684 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.15.15/dist/awscli/botocore/data/sso-oidc/2019-06-10/service-2.json
2024-01-31 11:30:40,690 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.15.15/dist/awscli/botocore/data/sso-oidc/2019-06-10/endpoint-rule-set-1.json
2024-01-31 11:30:40,691 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.15.15/dist/awscli/botocore/data/partitions.json
2024-01-31 11:30:40,691 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.sso-oidc: calling handler <function add_generate_presigned_url at 0x7f602edc00e0>
2024-01-31 11:30:40,691 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for sso-oidc via: environment_service
2024-01-31 11:30:40,691 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for sso-oidc via: environment_global
2024-01-31 11:30:40,691 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for sso-oidc via: config_service
2024-01-31 11:30:40,691 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for sso-oidc via: config_global
2024-01-31 11:30:40,691 - MainThread - botocore.configprovider - DEBUG - No configured endpoint found.
2024-01-31 11:30:40,693 - MainThread - botocore.endpoint - DEBUG - Setting oidc timeout as (60, 60)
2024-01-31 11:30:40,695 - MainThread - botocore.regions - DEBUG - Calling endpoint provider with parameters: {'Region': 'eu-central-1', 'UseDualStack': False, 'UseFIPS': False}
2024-01-31 11:30:40,695 - MainThread - botocore.regions - DEBUG - Endpoint provider result: https://oidc.eu-central-1.amazonaws.com
2024-01-31 11:30:40,695 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.sso-oidc.StartDeviceAuthorization: calling handler <function base64_decode_input_blobs at 0x7f602b18ede0>
2024-01-31 11:30:40,695 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.sso-oidc.StartDeviceAuthorization: calling handler <function generate_idempotent_uuid at 0x7f602e994400>
2024-01-31 11:30:40,695 - MainThread - botocore.hooks - DEBUG - Event before-call.sso-oidc.StartDeviceAuthorization: calling handler <function inject_api_version_header_if_needed at 0x7f602e995ee0>
2024-01-31 11:30:40,696 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=StartDeviceAuthorization) with params: {'url_path': '/device_authorization', 'query_string': {}, 'method': 'POST', 'headers': {'Content-Type': 'application/json', 'User-Agent': 'aws-cli/2.15.15 Python/3.11.6 Linux/5.15.133.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.22 prompt/off command/sso.login'}, 'body': b'{"clientId": "Ww.....CUTT", "clientSecret": "eyJraWQiOiJr.........CUT", "startUrl": "https://gardener-live.accounts.ondemand.com/saml2/idp/sso?sp=iaas-aws-live"}', 'url': 'https://oidc.eu-central-1.amazonaws.com/device_authorization', 'context': {'client_region': 'eu-central-1', 'client_config': <botocore.config.Config object at 0x7f602911cfd0>, 'has_streaming_input': False, 'auth_type': 'none'}}
2024-01-31 11:30:40,696 - MainThread - botocore.hooks - DEBUG - Event request-created.sso-oidc.StartDeviceAuthorization: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7f6029d408d0>>
2024-01-31 11:30:40,696 - MainThread - botocore.hooks - DEBUG - Event choose-signer.sso-oidc.StartDeviceAuthorization: calling handler <function set_operation_specific_signer at 0x7f602e9942c0>
2024-01-31 11:30:40,696 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://oidc.eu-central-1.amazonaws.com/device_authorization, headers={'Content-Type': b'application/json', 'User-Agent': b'aws-cli/2.15.15 Python/3.11.6 Linux/5.15.133.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.22 prompt/off command/sso.login', 'Content-Length': '2219'}>
2024-01-31 11:30:40,696 - MainThread - botocore.httpsession - DEBUG - Certificate path: /usr/local/aws-cli/v2/2.15.15/dist/awscli/botocore/cacert.pem
2024-01-31 11:30:40,696 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): oidc.eu-central-1.amazonaws.com:443
2024-01-31 11:30:41,085 - MainThread - urllib3.connectionpool - DEBUG - https://oidc.eu-central-1.amazonaws.com:443 "POST /device_authorization HTTP/1.1" 400 65
2024-01-31 11:30:41,085 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Wed, 31 Jan 2024 10:30:45 GMT', 'Content-Type': 'application/json', 'Content-Length': '65', 'Connection': 'keep-alive', 'x-amzn-RequestId': 'a12f9806-0678-4073-8b44-4d77be9e8df2', 'x-amzn-ErrorType': 'InvalidRequestException:http://internal.amazon.com/coral/com.amazonaws.sso.oidc/'}
2024-01-31 11:30:41,085 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"error":"invalid_request","error_description":"Invalid request"}'
2024-01-31 11:30:41,086 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Wed, 31 Jan 2024 10:30:45 GMT', 'Content-Type': 'application/json', 'Content-Length': '65', 'Connection': 'keep-alive', 'x-amzn-RequestId': 'a12f9806-0678-4073-8b44-4d77be9e8df2', 'x-amzn-ErrorType': 'InvalidRequestException:http://internal.amazon.com/coral/com.amazonaws.sso.oidc/'}
2024-01-31 11:30:41,086 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"error":"invalid_request","error_description":"Invalid request"}'
2024-01-31 11:30:41,086 - MainThread - botocore.hooks - DEBUG - Event needs-retry.sso-oidc.StartDeviceAuthorization: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x7f602911edd0>>
2024-01-31 11:30:41,086 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2024-01-31 11:30:41,086 - MainThread - botocore.hooks - DEBUG - Event after-call.sso-oidc.StartDeviceAuthorization: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x7f602911e810>>
2024-01-31 11:30:41,087 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "awscli/clidriver.py", line 460, in main
  File "awscli/clidriver.py", line 595, in __call__
  File "awscli/customizations/commands.py", line 205, in __call__
  File "awscli/customizations/sso/login.py", line 47, in _run_main
  File "awscli/customizations/sso/utils.py", line 72, in do_sso_login
  File "awscli/botocore/utils.py", line 3259, in fetch_token
  File "awscli/botocore/utils.py", line 3244, in _token
  File "awscli/botocore/utils.py", line 3159, in _poll_for_token
  File "awscli/botocore/utils.py", line 3136, in _authorize_client
  File "awscli/botocore/client.py", line 357, in _api_call
  File "awscli/botocore/client.py", line 724, in _make_api_call
botocore.errorfactory.InvalidRequestException: An error occurred (InvalidRequestException) when calling the StartDeviceAuthorization operation:

An error occurred (InvalidRequestException) when calling the StartDeviceAuthorization operation:

Reproduction Steps

❯ aws configure sso-session
SSO session name: my-sso
SSO start URL [None]: https://gardener-live.accounts.ondemand.com/saml2/idp/sso?sp=iaas-aws-live
SSO region [None]: eu-central-1
SSO registration scopes [sso:account:access]:

Completed configuring SSO session: my-sso
Run the following to login and refresh access token for this session:

aws sso login --sso-session my-sso

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.15.15 Python/3.11.6 Linux/5.15.133.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.22 prompt/off

Environment details (OS name and version, etc.)

WSL2 (Ubuntu 22.04.3 LTS), Windows 11

@andrei-panov andrei-panov added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 31, 2024
@kyoh86
Copy link

kyoh86 commented Mar 23, 2024

I have encountered similar problems.
I noticed that xdg-open, which should not be available in WSL, has been installed, and that AWS-CLI is calling xdg-open and losing response.
So I uninstalled xdg-open and solved the problem.
I hope this helps to solve the problem.

@asaf400
Copy link

asaf400 commented Apr 15, 2024

@kyoh86 Thanks, uninstalling xdg-open via yum remove xdg-utils worked for me after multiple other attempts to me it work..

What I tried before:
for some reason under my WSL2 fedora 39, any xdg command hangs indefinitely, and even trying to override it by creating /root/.local/bin/xdg-open with content:

#!/bin/sh
exec /usr/bin/gio open $@

didn't help..
wslu installed as well,
bin/gio is part of glib2,
and to set it's browser is gio mime x-scheme-handler/https chrome.exe.desktop located here /usr/share/applications/chrome.exe.desktop

@RyanFitzSimmonsAK RyanFitzSimmonsAK self-assigned this May 7, 2024
@RyanFitzSimmonsAK RyanFitzSimmonsAK added investigating This issue is being investigated and/or work is in progress to resolve the issue. credential-provider p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels May 7, 2024
@kellertk
Copy link
Member

kellertk commented May 7, 2024

This is an artifact of running under WSL2. On regular Linux, xdg-open tries to open a link in the user's default browser, but usually there is no browser app installed in the WSL environment to open. You can get around this by setting a BROWSER environment variable, such as

export BROWSER='/mnt/c/Users/kellertk/AppData/Local/Google/Chrome/Application/chrome'

Now xdg-open works as expected. You can add this to your ~/.bashrc, or you can simply uninstall xdg-utils.

@kellertk kellertk added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels May 7, 2024
@Irene2k11
Copy link

This is an artifact of running under WSL2. On regular Linux, xdg-open tries to open a link in the user's default browser, but usually there is no browser app installed in the WSL environment to open. You can get around this by setting a BROWSER environment variable, such as

export BROWSER='/mnt/c/Users/kellertk/AppData/Local/Google/Chrome/Application/chrome'

Now xdg-open works as expected. You can add this to your ~/.bashrc, or you can simply uninstall xdg-utils.

This is how I used to do it in Fedora 35, and and earlier versions all around, but something in recent versions of something became incompatible.. even xdg-settings (get|set) default-web-browser hangs

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label May 8, 2024
@RyanFitzSimmonsAK
Copy link
Contributor

Closing as this isn't a bug with the CLI; follow the workaround mentioned above.

Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

@ashovlin
Copy link
Member

For future visitors, we also have the --no-browser option which will print a link that you can click or copy/paste without attempting to open it automatically.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. credential-provider p2 This is a standard priority issue
Projects
None yet
Development

No branches or pull requests

7 participants