Use AWS SSO on sls

Hello, I had configured SSO on my AWS accounts and I’m using the AWS CLI with it and everything works fine. My problem now is when I try to use serverless framework, it’s looks like sls don’t find the profiles configured with SSO, because they are not in the /.aws/credentials file, SSO use an access tokens to generate that temp credentials tokens stored in /.aws/sso/cache/****.json

There is a way to use SSO with sls, I would like to run the command ‘serverless deploy --stage dev’ and sls generate if it is necessary the new credentials.

The error Im getting:
Error: Profile dev-profile does not exist
at Object.addProfileCredentials (lib/node_modules/serverless/lib/plugins/aws/provider/awsProvider.js:101:15)

Did you do with Cognito? I could connect and use sso with kotlin, but without sls.

I guess it’s a side effect of how you are logging into SSO?

With Google AWS SSO, this CLI worked for me.

I’m having the same issue. I’m working with 15+ AWS Accounts and I’m logging trough CLI with:
aws sso login --profile profileName

Does anyone have a clue on how to tell to serverless to work with AWS SSO?

for now the only solution I have is to login with sso on the web page and import the temp credentials on the terminal

As far as I understand sls is looking for the credentials on the /.aws/credentials file and when you login using sso the credentials aren’t there. They are created on the fly using and api.
I don’t fully understand what are you using, gsts is a replacement for aws cli? because my problem is with sls not with aws cli, if I use aws cli directly its works fine.

Yes, you are right. It seems that sls does not support AWS SSO credentials.

That could be related or not?

Hi. I had the same problem with Terraform. I made a help util to setup profiles in ~/.aws/credentials from SSO for me, https://github.com/PredictMobile/aws-sso-credentials-getter.

Just if someone is facing the same error, what im doing for now is copy and pasting the “Command line or programmatic access” variables that AWS gives you (just next to the “Management console” link). Those have some expiration time, so you will need to do this each time you need to do something on the terminal but is not a big security risk. Any way it would be awesome to have this working correctly with SSO.-

I would love to have this working natively. As a workaround, I’m currently using ‘yawsso’ to sync SSO credentials. Works pretty well for multiple profiles.

The issue was opened: https://github.com/serverless/serverless/issues/7567

And it seems that depends on an AWS issue: https://github.com/aws/aws-sdk-js/issues/2772

It looks like we will have to wait for a native solution…

Hello guys! Maybe you can check this project: https://github.com/Noovolari/leapp

Is not a solution per se on this issue but it’s a third party tool to help make AWS SSO compatible with AWS CLI v2 as well as many other tools that manage temporary credentials. It conects with your AWS SSO getting all your account and roles, then it creates temporary credentials and stores them in .aws/credentials instead of default aws sso path which is often not read by libraries or sdks.

Hi! very usefull and clear!
Thanks!

Didn’t work for me. I have Ubuntu. This package only throwing the error Profile not found.
I used after installing as: ssocred default

I have followed all methods explained in the above thread but no success. Any one here with a solution/ workaround for this with clear steps.
thanks.

According to this discussion Issue #7567, sls doesn’t support aws SSO natively, and serverless-better-credentials plugin is the best workaround so far.

According to the latest replies to the github issue shared above, the best solution so far is to use a plugin

I actually have not had luck with Serverless-better-credentials it would not work for me without manually copying the necessary aws creds to the .aws/credentials file.

What did work for me was this utility aws-sso-creds-helper - npm once installed just run the command and it will copy the necessary info to the credentials file then serverless will behave as expected so the following

• aws sso login
• ssocreds -p default
• serverless deploy --aws-profile default

at least this is what has solved this issue for me as of 5/5/23

Hi Rhineb,

I went in the same issue with you before, in my case, I was using aws configure sso and in ~/.aws/config, I have a sso_session in my profile.

After removing the sso_session (& ~/.aws/credentials if existed), Serverless-better-credentials works for me.

Hope this helps.

This comment on the Issue in the Serverless Repo was most helpful. I ended up adding a “deploy” script that utilizes the aws configure export-credentials command:

package.json:

{
  "scripts": {
    "deploy": "eval $(aws configure export-credentials --profile ${AWS_PROFILE} --format env) && env -u AWS_PROFILE sls deploy --stage",
  }
}

Perform Deployment to production stage:

npm run deploy production