Add support for AWS SSO

What is the problem you are having with rclone?

Support for AWS SSO was added in AWS SDK for Go v1.37.0 (Release Release v1.37.0 · aws/aws-sdk-go · GitHub), but rclone does not recognize SSO credentials. The environment variable AWS_PROFILE has been set and the AWS CLI is able to use SSO credentials, but rclone throws an error.

I found a similar forum that concluded once support for SSO was added to the AWS SDK for Go, rclone should be able to use SSO credentials, but this doesn't seem to be the case.

What is your rclone version (output from rclone version)

rclone v1.56.0-beta.5405.6366d3dfc
- os/version: Microsoft Windows 10 Enterprise 2009 (64 bit)
- os/kernel: 10.0.19042.804 (x86_64)
- os/type: windows
- os/arch: amd64
- go/version: go1.16.3
- go/linking: dynamic
- go/tags: cmount

Which OS you are using and how many bits (eg Windows 7, 64 bit)

Windows 10, 64 bit

Which cloud storage system are you using? (eg Google Drive)

S3

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone ls s3: -vv

The rclone config contents with secrets removed.

[s3]
type = s3
env_auth = true
region = us-east-1
storage_class = GLACIER
provider = AWS

A log from the command with the -vv flag

C:\Users\User>rclone ls s3: -vv
2021/04/15 13:25:06 DEBUG : Using config file from "C:\\Users\\User\\.config\\rclone\\rclone.conf"
2021/04/15 13:25:06 DEBUG : rclone: Version "v1.56.0-beta.5405.6366d3dfc" starting with parameters ["rclone" "ls" "s3:" "-vv"]
2021/04/15 13:25:06 DEBUG : Creating backend with remote "s3:"
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x18 pc=0x12e0429]

goroutine 66 [running]:
github.com/aws/aws-sdk-go/aws/credentials/stscreds.(*WebIdentityRoleProvider).RetrieveWithContext(0xc000170c60, 0x2179be8, 0xc00003c050, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        github.com/aws/aws-sdk-go@v1.37.3/aws/credentials/stscreds/web_identity_provider.go:111 +0x69
github.com/aws/aws-sdk-go/aws/credentials/stscreds.(*WebIdentityRoleProvider).Retrieve(0xc000170c60, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2bd98cd8, ...)
        github.com/aws/aws-sdk-go@v1.37.3/aws/credentials/stscreds/web_identity_provider.go:104 +0x9d
github.com/aws/aws-sdk-go/aws/credentials.(*ChainProvider).Retrieve(0xc0007c0ff0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        github.com/aws/aws-sdk-go@v1.37.3/aws/credentials/chain_provider.go:75 +0x10b
github.com/aws/aws-sdk-go/aws/credentials.(*Credentials).singleRetrieve(0xc00025b300, 0x2179e18, 0xc000502200, 0x0, 0x0, 0x0, 0x0)
        github.com/aws/aws-sdk-go@v1.37.3/aws/credentials/credentials.go:279 +0x562
github.com/aws/aws-sdk-go/aws/credentials.(*Credentials).GetWithContext.func1(0x0, 0x0, 0x0, 0x0)
        github.com/aws/aws-sdk-go@v1.37.3/aws/credentials/credentials.go:255 +0x91
github.com/aws/aws-sdk-go/internal/sync/singleflight.(*Group).doCall(0xc00025b300, 0xc00004c960, 0x0, 0x0, 0xc00007afc0)
        github.com/aws/aws-sdk-go@v1.37.3/internal/sync/singleflight/singleflight.go:97 +0x35
created by github.com/aws/aws-sdk-go/internal/sync/singleflight.(*Group).DoChan
        github.com/aws/aws-sdk-go@v1.37.3/internal/sync/singleflight/singleflight.go:90 +0x2cc
1 Like

hello and welcome to the forum,

not sure how this can be a bug. as rclone does not use go1.37.0
rclone v1.55.0 uses go1.16.2
rclone beta uses go1.16.3

Hi, thanks for your quick reply! Sorry for the misunderstanding, support for AWS SSO was added in aws-sdk-go@v1.37.0, and it appears rclone is using aws-sdk-go@v1.37.3 based on the stack trace.

sure,
you can get the go version from rclone version

perhaps change this from a suspected bug template to feature template.
and change the text to Add support for AWS SSO

image

Thanks, that's done. I was hoping to include a link to the original post that led me to believe this functionality should have worked once support was added to aws-sdk-go, but I'm unable to post links.

Here it is:
t/rclone-and-aws-sso-credentials/18477/8

new rcloners cannot post links.

here is that link
https://forum.rclone.org/t/rclone-and-aws-sso-credentials/18477/8

1 Like

That is a crash from within the s3 SDK which doesn't bode well!

OK Can you give this a go which is the latest stable s3 sdk

v1.56.0-beta.5410.68e2f7432.fix-s3-sso-crash on branch fix-s3-sso-crash (uploaded in 15-30 mins)

If that works - great! If not, I'll investigate further.

Hi Nick, thanks for looking into this. Unfortunately, your commit with the latest SDK version results in the same error. Please let me know if there's anything else you'd like me to try.

PS C:\> rclone --version
rclone v1.56.0-beta.5410.68e2f7432.fix-s3-sso-crash
- os/version: Microsoft Windows 10 Enterprise 2009 (64 bit)
- os/kernel: 10.0.19042.804 (x86_64)
- os/type: windows
- os/arch: amd64
- go/version: go1.16.3
- go/linking: dynamic
- go/tags: cmount
PS C:\> rclone ls s3:
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x18 pc=0x12dc829]

goroutine 12 [running]:
github.com/aws/aws-sdk-go/aws/credentials/stscreds.(*WebIdentityRoleProvider).RetrieveWithContext(0xc000546f29, 0x2162dc4, 0xc00006a020, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        github.com/aws/aws-sdk-go@v1.38.21/aws/credentials/stscreds/web_identity_provider.go:111 +0x69
github.com/aws/aws-sdk-go/aws/credentials/stscreds.(*WebIdentityRoleProvider).Retrieve(0xc000546f29, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2ba17bc0, ...)
        github.com/aws/aws-sdk-go@v1.38.21/aws/credentials/stscreds/web_identity_provider.go:104 +0x9d
github.com/aws/aws-sdk-go/aws/credentials.(*ChainProvider).Retrieve(0xc00025a6f0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        github.com/aws/aws-sdk-go@v1.38.21/aws/credentials/chain_provider.go:75 +0x10b
github.com/aws/aws-sdk-go/aws/credentials.(*Credentials).singleRetrieve(0xc000482760, 0x2386df8, 0xc000245650, 0x0, 0x0, 0x0, 0x0)
        github.com/aws/aws-sdk-go@v1.38.21/aws/credentials/credentials.go:279 +0x562
github.com/aws/aws-sdk-go/aws/credentials.(*Credentials).GetWithContext.func1(0x0, 0x0, 0x0, 0x0)
        github.com/aws/aws-sdk-go@v1.38.21/aws/credentials/credentials.go:255 +0x91
github.com/aws/aws-sdk-go/internal/sync/singleflight.(*Group).doCall(0xc000482760, 0xc000240fc0, 0x0, 0x0, 0xc00031a100)        github.com/aws/aws-sdk-go@v1.38.21/internal/sync/singleflight/singleflight.go:97 +0x35
created by github.com/aws/aws-sdk-go/internal/sync/singleflight.(*Group).DoChan
        github.com/aws/aws-sdk-go@v1.38.21/internal/sync/singleflight/singleflight.go:90 +0x2cc

I think I've figured out why the SDK was crashing.

I commented out that bit of code - can you try this?

v1.56.0-beta.5417.793ba82a2.fix-s3-sso-crash on branch fix-s3-sso-crash (uploaded in 15-30 mins)

Hi! Some progress, no more crashing. Now it appears that the SDK isn't properly picking up the SSO profile set in my environment variables. The AWS CLI, for example aws s3 ls is able to pick up the environment variable and use the SSO profile.

I saw "Deprecated." in the error. Is it possible that AWS implemented a different API call for getting credentials and only this newer API supports SSO profiles?

c:\>rclone ls s3: -vv
2021/04/20 12:39:31 DEBUG : Using config file from "C:\\Users\\User\\.config\\rclone\\rclone.conf"
2021/04/20 12:39:31 DEBUG : rclone: Version "v1.56.0-beta.5417.793ba82a2.fix-s3-sso-crash" starting with parameters ["rclone" "ls" "s3:" "-vv"]
2021/04/20 12:39:31 DEBUG : Creating backend with remote "s3:"
2021/04/20 12:39:32 DEBUG : 2 go routines active
2021/04/20 12:39:32 Failed to ls: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors

That is good!

As far as I can see rclone casts all the right runes to implement it so I don't know why it isn't working.

No valid providers in the chain is kind of what I was expecting to see - the provider which was crashing was last in the chain.

The provider which is supposed to pick up the AWS_PROFILE is near the start.

One thing you could try is setting the env var AWS_SDK_LOAD_CONFIG to 1. This shouldn't be needed as I'm setting the equivalent of this internally, but it is worth a shot.

I tried setting aws.Config.CredentialsChainVerboseErrors - can you give this a go. It might tell us something interesting!

v1.56.0-beta.5423.6defd328b.fix-s3-sso-crash on branch fix-s3-sso-crash (uploaded in 15-30 mins)

Hi Nick. Thanks so much for your continued attention to this. I have a feeling we are very close. I had a chance to download the source code and play around a bit this evening.

I commented out line 1570 in the s3.go backend rclone/s3.go at fix-s3-sso-crash · rclone/rclone · GitHub and created a session ses as follows:

ses, err := session.NewSessionWithOptions(session.Options{
		SharedConfigState: session.SharedConfigEnable,
		Profile:           "my-sso-profile-name",
})

This worked! Only problem is that I have no idea why. It seems like the value of opt.Profile isn't being set properly based on my environment? I've double checked that the AWS_PROFILE env var is set.

Setting AWS_SDK_LOAD_CONFIG=1 didn't seem to have any change, and no additional debugging information was produced with aws.Config.CredentialsChainVerboseErrors set.

Hopefully something here is helpful...

OK!

Unless you passed in --s3-profile then opt.Profile will be empty.

Can you try

  • your patch with Profile: "" - this should pick up AWS_PROFILE
  • and can you try the original code with --s3-profile my-sso-profile-name
	// Overrides the config profile the Session should be created from. If not
	// set the value of the environment variable will be loaded (AWS_PROFILE,
	// or AWS_DEFAULT_PROFILE if the Shared Config is enabled).
	//
	// If not set and environment variables are not set the "default"
	// (DefaultSharedConfigProfile) will be used as the profile to load the
	// session config from.
	Profile string

	// Instructs how the Session will be created based on the AWS_SDK_LOAD_CONFIG
	// environment variable. By default a Session will be created using the
	// value provided by the AWS_SDK_LOAD_CONFIG environment variable.
	//
	// Setting this value to SharedConfigEnable or SharedConfigDisable
	// will allow you to override the AWS_SDK_LOAD_CONFIG environment variable
	// and enable or disable the shared config functionality.
	SharedConfigState SharedConfigState

So either there is a bug in the SDK not picking up AWS_PROFILE or there is a bug with the configuration chain loader...

I just tried this locally. I duplicated the default profile into test in ~/.aws/credentials and then broke the default profile

Default profile is broken

$ rclone lsf --s3-env-auth :s3:
2021/04/21 10:02:46 ERROR : : error listing: InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.
	status code: 403, request id: DA3WPT0YS9WV21YN, host id: VutSKOv9KsKF1Z2zf+ghYppOWvu0u3Xdjd7mi7N9/YIy9Ac9oImebRijWAfES8X8kK9xaOh8zs0=
2021/04/21 10:02:46 Failed to lsf with 2 errors: last error was: error in ListJSON: InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.
	status code: 403, request id: DA3WPT0YS9WV21YN, host id: VutSKOv9KsKF1Z2zf+ghYppOWvu0u3Xdjd7mi7N9/YIy9Ac9oImebRijWAfES8X8kK9xaOh8zs0=

test profile is picked up from env var

$ AWS_PROFILE=test rclone lsf --s3-env-auth :s3:
rclone/

test profile is picked up from flag

$ rclone lsf --s3-profile test --s3-env-auth :s3:
rclone/

Exactly which env vars do you have set?

Hello, sorry, I'm seeing the same error trying to copy from s3 bucket to local directory. Maybe someone has some workaround?

Can you describe what you are doing? Also can you show the command line in use, environment variables in use and show your config file (without secrets)?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.