I currently have access to EC2 through the aws-qa group. I'd like to start managing EC2 instances for ROCm testing through ansible/cli but I do not have the proper credentials.
From the aws-access docs, it sounds like I need to request these credentials separately. This is my request for those credentials
If I've misunderstood something and need to retrieve those credentials from the AWS console, I would appreciate a pointer to how I would go about doing that as I've not been able to get that to work so far.
2023/09/22 would be nice but it's not horribly urgent.
Metadata Update from @phsmoura: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: aws, cloud, low-gain, low-trouble, ops
we can do this, but I am wondering if there's some way to use our SAML2 provider to get a role token... but I am not sure if thats possible.
I'll look into it again. The non-Fedora AWS docs I found before seemed to be directing me to dashboards/controls I don't have access to in order to get cli credentials.
From what I can understand in the AWS docs, I think that I need one of two things in order to get aws cli access with my current role.
One is the START url which is part of the aws cli sso init process. Amazon is delightfully coy about how to actually find this url but stack overflow claims that you need some higher level permissions to access the value. Is this URL documented anywhere? Alternately, is the aws organization name documented anywhere? There is mention of using {my-organization}.awsapp.com/start#/ but I don't know what our AWS organization name is.
{my-organization}.awsapp.com/start#/
I tried using the SAML url in the Fedora docs but that just gave me an error:
$ aws configure sso SSO start URL [None]: https://id.fedoraproject.org/saml2/SSO/Redirect?SPIdentifier=urn:amazon:webservices&RelayState=https://console.aws.amazon.com SSO Region [None]: us-east-1 An error occurred (InvalidRequestException) when calling the StartDeviceAuthorization operation:
The other possibility I found is to have the PowerUserAccess role. (see "I already have access to AWS through a federated identity provider managed by my employer (such as Azure AD or Okta)" on this page of AWS docs about token providers)
PowerUserAccess
Sign in to AWS through your identity provider’s portal. If your Cloud Administrator has granted you PowerUserAccess (developer) permissions, you see the AWS accounts that you have access to and your permission set. Next to the name of your permission set, you see options to access the accounts manually or programmatically using that permission set. Custom implementations might result in different experiences, such as different permission set names. If you're not sure which permission set to use, contact your IT team for help.
Sign in to AWS through your identity provider’s portal. If your Cloud Administrator has granted you PowerUserAccess (developer) permissions, you see the AWS accounts that you have access to and your permission set. Next to the name of your permission set, you see options to access the accounts manually or programmatically using that permission set.
Custom implementations might result in different experiences, such as different permission set names. If you're not sure which permission set to use, contact your IT team for help.
Yeah, I think thats if you are using amazon's sso, but not clear. ;(
@davdunc or @dustymabe any ideas here? I looked at the awscli2 docs for a bit, but it just confused me more. ;(
I mostly use access key and secret. Don't have much experience trying to use SSO with the AWS CLI.
ok, so perhaps we just use the old way for now until we sort this out. ;)
I can try and do that soon...
Metadata Update from @kevin: - Issue assigned to kevin
ok. Sorry for the long delay here.
I created a 'qa' user that has the same role as your web one and put it's access keys in ~tflink/aws-cli-qa on batcave01
Let us know if you run into any problems with it or need anything further.
Metadata Update from @kevin: - Issue close_status updated to: Fixed with Explanation - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.