AWS SSO not working #62
Description
I was trying to use AWS SSO to access files on S3 from my development machine. I looked at the other issues previously opened for this and tried to use the information there to resolve it, but no luck so far. So I'm reaching out for a bit more guidance.
First I run SSO login to make sure I have fresh credentials:
$ aws sso login --profile dev
Successfully logged into Start URL: https://xxx.awsapps.com/start#
This is my redacted config:
$ cat ~/.aws/config
[profile dev]
sso_session = xxx
sso_account_id = xxx
sso_role_name = xxx
region = us-east-1
output = json
[sso-session Formative]
sso_start_url = https://xxx.awsapps.com/start#
sso_region = us-east-1
sso_registration_scopes = sso:account:access
I run duckdb, you can see the version in the prompt:
$ duckdb
v1.1.3 19864453f7
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
I create the credentials per the documentation:
D CREATE OR REPLACE SECRET s3 (TYPE S3, PROVIDER CREDENTIAL_CHAIN, PROFILE 'dev');
100% ▕████████████████████████████████████████████████████████████▏
┌─────────┐
│ Success │
│ boolean │
├─────────┤
│ true │
└─────────┘
I try to use an S3 operation that requires permissions:
D SELECT filename, last_modified FROM read_text('s3://bucket/path/*.js');
HTTP Error: HTTP GET error on '/?encoding-type=url&list-type=2&prefix=js%2Fvnd%2Fi18next%2F' (HTTP 403)
Now I check whether the secret was created with credentials in it; it does not:
D SELECT * FROM duckdb_secrets();
┌─────────┬─────────┬──────────────────┬────────────┬─────────┬─────────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ name │ type │ provider │ persistent │ storage │ scope │ secret_string │
│ varchar │ varchar │ varchar │ boolean │ varchar │ varchar[] │ varchar │
├─────────┼─────────┼──────────────────┼────────────┼─────────┼─────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ s3 │ s3 │ credential_chain │ false │ memory │ [s3://, s3n://, s3a://] │ name=s3;type=s3;provider=credential_chain;serializable=true;scope=s3://,s3n://,s3a://;endpoint=s3.amazonaws.com;region=us-east-1 │
└─────────┴─────────┴──────────────────┴────────────┴─────────┴─────────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
Just getting the extension versions for reference:
D SELECT * FROM duckdb_extensions();
┌──────────────────┬─────────┬───────────┬─────────────────────────────────────────────────────────────────────────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┬───────────────────┬───────────────────┬───────────────────┬────────────────┐
│ extension_name │ loaded │ installed │ install_path │ description │ aliases │ extension_version │ install_mode │ installed_from │
│ varchar │ boolean │ boolean │ varchar │ varchar │ varchar[] │ varchar │ varchar │ varchar │
├──────────────────┼─────────┼───────────┼─────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼───────────────────┼───────────────────┼───────────────────┼────────────────┤
│ arrow │ false │ false │ │ A zero-copy data integration between Apache Arrow and DuckDB │ [] │ │ │ │
│ autocomplete │ true │ true │ (BUILT-IN) │ Adds support for autocomplete in the shell │ [] │ │ STATICALLY_LINKED │ │
│ aws │ true │ true │ /home/dobes/snap/duckdb/9/.duckdb/extensions/v1.1.3/linux_amd64_gcc4/aws.duckdb_extension │ Provides features that depend on the AWS SDK │ [] │ f743d4b │ REPOSITORY │ core │
│ azure │ false │ false │ │ Adds a filesystem abstraction for Azure blob storage to DuckDB │ [] │ │ │ │
│ delta │ false │ false │ │ Adds support for Delta Lake │ [] │ │ │ │
│ excel │ false │ false │ │ Adds support for Excel-like format strings │ [] │ │ │ │
│ fts │ true │ true │ (BUILT-IN) │ Adds support for Full-Text Search Indexes │ [] │ v1.1.3 │ STATICALLY_LINKED │ │
│ httpfs │ true │ true │ /home/dobes/snap/duckdb/9/.duckdb/extensions/v1.1.3/linux_amd64_gcc4/httpfs.duckdb_extens… │ Adds support for reading and writing files over a HTTP(S) connection │ [http, https, s3] │ v1.1.3 │ REPOSITORY │ core │
│ iceberg │ false │ false │ │ Adds support for Apache Iceberg │ [] │ │ │ │
│ icu │ true │ true │ (BUILT-IN) │ Adds support for time zones and collations using the ICU library │ [] │ v1.1.3 │ STATICALLY_LINKED │ │
│ inet │ false │ false │ │ Adds support for IP-related data types and functions │ [] │ │ │ │
│ jemalloc │ true │ true │ (BUILT-IN) │ Overwrites system allocator with JEMalloc │ [] │ v1.1.3 │ STATICALLY_LINKED │ │
│ json │ true │ true │ (BUILT-IN) │ Adds support for JSON operations │ [] │ v1.1.3 │ STATICALLY_LINKED │ │
│ motherduck │ false │ false │ │ Enables motherduck integration with the system │ [md] │ │ │ │
│ mysql_scanner │ false │ false │ │ Adds support for connecting to a MySQL database │ [mysql] │ │ │ │
│ parquet │ true │ true │ (BUILT-IN) │ Adds support for reading and writing parquet files │ [] │ v1.1.3 │ STATICALLY_LINKED │ │
│ postgres_scanner │ false │ false │ │ Adds support for connecting to a Postgres database │ [postgres] │ │ │ │
│ shell │ true │ true │ │ Adds CLI-specific support and functionalities │ [] │ │ STATICALLY_LINKED │ │
│ spatial │ false │ false │ │ Geospatial extension that adds support for working with spatial data and functions │ [] │ │ │ │
│ sqlite_scanner │ false │ false │ │ Adds support for reading and writing SQLite database files │ [sqlite, sqlite3] │ │ │ │
│ substrait │ false │ false │ │ Adds support for the Substrait integration │ [] │ │ │ │
│ tpcds │ false │ false │ │ Adds TPC-DS data generation and query support │ [] │ │ │ │
│ tpch │ true │ true │ (BUILT-IN) │ Adds TPC-H data generation and query support │ [] │ v1.1.3 │ STATICALLY_LINKED │ │
│ vss │ false │ false │ │ Adds indexing support to accelerate Vector Similarity Search │ [] │ │ │ │
├──────────────────┴─────────┴───────────┴─────────────────────────────────────────────────────────────────────────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┴───────────────────┴───────────────────┴───────────────────┴────────────────┤
│ 24 rows 9 columns │
└────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
I thought I'd try to update to nightly, but it doesn't work:
D force install aws from core_nightly;
HTTP Error: Failed to download extension "aws" at URL "http://nightly-extensions.duckdb.org/v1.1.3/linux_amd64_gcc4/aws.duckdb_extension.gz" (HTTP 403)
Extension "aws" is an existing extension.
Afterwards I had a couple ideas that I hoped would help:
- My aws profile uses
sso_session, which isn't supported by the kubernetes command line tools, do I thought maybeduckdbmight also not support it. However, switching to a profile that doesn't usesso_sessiondidn't fix the issue - I initially installed it using
snapand I wondered if maybe duckdb was running in a sandbox and couldn't access my AWS credentials. I uninstalled and reinstalled using the ZIP file and it did not fix the issue
My understanding is that I can probably export temporary credentials to an env file and use it (or something along those files), but I thought maybe I should open an issue and see if this more convenient option can be made to work.