kOps doesn't correctly pick up AWS Identity Center Credentials

[dcrussell]

/kind bug

1. What kops version are you running? The command kops version, will display
this information.
1.25.3

2. What Kubernetes version are you running? kubectl version will print the
version if a cluster is running or provide the Kubernetes version specified as
a kops flag.
n/a
3. What cloud provider are you using?
aws
4. What commands did you run? What is the simplest way to reproduce this issue?
Trying to follow kOps Getting Started:

kops create cluster --name=${NAME} --cloud=aws --zones=us-west-1a --discovery-store=s3://xxx-xxx-xxx/${NAME}/discovery

5. What happened after the commands executed?

Error: error reading cluster configuration "testcluster.k8s.local": error reading s3://xxx-xxx-xxx/testcluster.k8s.local/config: error connecting to S3: error starting new AWS session: profile "AdministratorAccess-xxxxxxxxxxxx" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

6. What did you expect to happen?
The cluster would be created.

7. Please provide your cluster manifest. Execute
kops get --name my.example.com -o yaml to display your cluster manifest.
You may want to remove your cluster name and other sensitive information.
n/a

8. Please run the commands with most verbose logging by adding the -v 10 flag.
Paste the logs into this report, or in a gist and provide the gist link here.

I0412 10:19:21.954176 1891119 factory.go:83] state store s3://xxx-xxx-xxx
Error: error reading cluster configuration "testcluster.k8s.local": error reading s3://xxx-xxx-xxx/testcluster.k8s.local/config: error connecting to S3: error starting new AWS session: profile "AdministratorAccess-xxxxxxxxxxxx" is configured to use SSO but is missing required configuration: sso_region, sso_start_u

9. Anything else do we need to know?
I'm trying to test kOps with AWS Identity Center

AWS .config:

[profile AdministratorAccess-xxxxxxxxxxxx]
sso_session = my-sso
sso_account_id = xxxxxxxxxxxx
sso_role_name = AdministratorAccess
region = us-west-1
output = json
[sso-session my-sso]
sso_start_url = https://start.us-home.awsapps.com/directory/XXXXXXXX
sso_region = us-west-1
sso_registration_scopes = sso:account:access

I've exported the profile name with export AWS_PROFILE=AdministratorAccess-xxxxxxxxxxxx and have confirmed that the AWS CLI works as intended.

This issue in aws-sdk-go seems related as .aws/sso/cache is where my stored credentials are.

[jim-barber-he]

I have more information to add to this issue:

AWS IAM Identity Center (formerly known as AWS SSO) has two ways of being configured.
There's the new recommended way that uses sessions with automatic token refresh: https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html
And the old legacy way: https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-legacy.html

I have been using the old legacy way with kops for some time and it works.
However I tried switching over to the new recommended configuration and I get the error as shown in the initial report.

Using the legacy config:

$ kops get cluster
NAME		CLOUD	ZONES
test1.he0.io	aws	ap-southeast-2a,ap-southeast-2b,ap-southeast-2c
test2.he0.io	aws	ap-southeast-2a,ap-southeast-2b,ap-southeast-2c

Using the recommended configuration:

$ kops get cluster                        
Error: error reading state store: error connecting to S3: error starting new AWS session: profile "test" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

Redacted legacy config in ~/.aws/config:

[profile test]
region = ap-southeast-2
sso_account_id = 000000000000
sso_region = ap-southeast-2
sso_role_name = ReadOnly
sso_start_url = https://COMPANY.awsapps.com/start

Redacted recommended config in ~/.aws/confg:

[profile test]
region = ap-southeast-2
sso_account_id = 000000000000
sso_role_name = ReadOnly
sso_session = common

[sso-session common]
sso_region = ap-southeast-2
sso_registration_scopes = sso:account:access
sso_start_url = https://COMPANY.awsapps.com/start

[jim-barber-he]

Further to this, it seems aws-sdk-go doesn't support the new sso-session syntax in the configuration
aws/aws-sdk-go#4649

The case above suggests that the newer aws-sdk-go-v2 does.
That can be found at the following link:
https://github.com/aws/aws-sdk-go-v2

Porting from the old to the new looks like it could be a lot of work.
https://aws.github.io/aws-sdk-go-v2/docs/migrating/

[jim-barber-he]

This release of aws-sdk-go has added support for sso-session
https://github.com/aws/aws-sdk-go/releases/tag/v1.44.298

[johngmyers]

FYI, I find https://github.com/synfinatic/aws-sso-cli much better than the native AWS SDK for dealing with AWS IAM Identity Center.