Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: sam pipeline bootstrap --oidc-provider gitlab with a custom gitlab url creates an identity provider with excessive / suffix #7432

Open
hakandilek opened this issue Sep 2, 2024 · 4 comments
Open

Bug: sam pipeline bootstrap --oidc-provider gitlab with a custom gitlab url creates an identity provider with excessive / suffix #7432

hakandilek opened this issue Sep 2, 2024 · 4 comments
Labels
area/pipeline stage/bug-repro The issue/bug needs to be reproduced

Comments

@hakandilek
Copy link

Description:

I am calling the sam pipeline bootstrap with Gitlab as the OIDC provider with an own Gitlab instance hosted on e.g. https://own-gitlab.com. This creates an identity provider with the name own-gitlab.com/ (mind the trailing slash) and the audience https://own-gitlab.com which fails to assume role later.

Steps to reproduce:

Run the CLI command

sam pipeline bootstrap --no-interactive --no-create-image-repository --no-confirm-changeset \
  --stage dev --region eu-central-1 \
  --permissions-provider oidc --oidc-provider gitlab \
  --oidc-provider-url https://own-gitlab.com \
  --oidc-client-id https://own-gitlab.com \
  --gitlab-group bar --gitlab-project foo

Observed result:

Creates the Identity provider own-gitlab.com/ (trailing slash) with audience https://own-gitlab.com.

This leads to an error for assume-role command later:

An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: No OpenIDConnect provider found in your account for https://own-gitlab.com/

Expected result:

Identity provider own-gitlab.com ( WITHOUT the trailing slash) with audience https://own-gitlab.com should be created.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

{
  "version": "1.122.0",
  "system": {
    "python": "3.12.5",
    "os": "macOS-14.6.1-arm64-arm-64bit"
  },
  "additional_dependencies": {
    "docker_engine": "25.0.5",
    "aws_cdk": "Not available",
    "terraform": "1.9.4"
  },
  "available_beta_feature_env_vars": [
    "SAM_CLI_BETA_FEATURES",
    "SAM_CLI_BETA_BUILD_PERFORMANCE",
    "SAM_CLI_BETA_TERRAFORM_SUPPORT",
    "SAM_CLI_BETA_RUST_CARGO_LAMBDA"
  ]
}

Add --debug flag to command you are running
@hakandilek hakandilek added the stage/needs-triage Automatically applied to new issues and PRs, indicating they haven't been looked at. label Sep 2, 2024
@hakandilek hakandilek changed the title Bug: sam pipeline bootstrap --oidc-provider gitlab with a custom gitlab url creates an identity provider with eccesive / suffix Bug: sam pipeline bootstrap --oidc-provider gitlab with a custom gitlab url creates an identity provider with excessive / suffix Sep 2, 2024
@hakandilek
Copy link
Author

Here is the --debug output:

sam pipeline bootstrap --no-interactive --no-create-image-repository --no-confirm-changeset --stage dev --region eu-central-1 --permissions-provider oidc --oidc-provider gitlab --oidc-provider-url https://own-gitlab.com --oidc-client-id https://own-gitlab.com --gitlab-group foo --gitlab-project bar --debug
2024-09-03 12:48:56,823 | No config file found in this directory.
2024-09-03 12:48:56,825 | OSError occurred while reading TOML file: [Errno 2] No such file or directory:
'/*REDACTED*/bar/samconfig.toml'
2024-09-03 12:48:56,826 | Config file location: /*REDACTED*/bar/samconfig.toml
2024-09-03 12:48:56,826 | Config file '/*REDACTED*/bar/samconfig.toml' does
not exist
2024-09-03 12:48:56,839 | OSError occurred while reading TOML file: [Errno 2] No such file or directory:
'/*REDACTED*/bar/samconfig.toml'
2024-09-03 12:48:56,839 | Using config file: samconfig.toml, config environment: default
2024-09-03 12:48:56,840 | Expand command line arguments to:
2024-09-03 12:48:56,840 | --stage=dev --permissions_provider=oidc --oidc_provider=gitlab
--oidc_provider_url=https://own-gitlab.com --oidc_client_id=https://own-gitlab.com
--gitlab_group=foo --gitlab_project=bar
This will create the following required resources for the 'dev' configuration:
	- IAM OIDC Identity Provider
	- Pipeline execution role
	- CloudFormation execution role
	- Artifact bucket
2024-09-03 12:48:59,002 | Managed S3 stack [aws-sam-cli-managed-dev-pipeline-resources] not found. Creating
a new one.
	Creating the required resources...
	Successfully created!
The following resources were created in your account:
	- Pipeline execution role
	- CloudFormation execution role
	- Artifact bucket
	- IAM OIDC Identity Provider
View the definition in .aws-sam/pipeline/pipelineconfig.toml,
run sam pipeline bootstrap to generate another set of resources, or proceed to
sam pipeline init to create your pipeline configuration file.

2024-09-03 12:50:18,437 | Telemetry endpoint configured to be
https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics
2024-09-03 12:50:18,559 | Telemetry endpoint configured to be
https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics
2024-09-03 12:50:18,560 | Sending Telemetry: {'metrics': [{'commandRun': {'requestId':
'bdd69414-6477-4eff-b00c-4ef6fcca91c8', 'installationId': '8efec658-aae7-4e0d-948e-fbd0e429c52f',
'sessionId': '5d7cc645-67d4-42ea-8dbc-6cc33ae4e996', 'executionEnvironment': 'CLI', 'ci': False,
'pyversion': '3.12.5', 'samcliVersion': '1.122.0', 'awsProfileProvided': False, 'debugFlagProvided': True,
'region': 'eu-central-1', 'commandName': 'sam pipeline bootstrap', 'metricSpecificAttributes':
{'projectType': 'CFN', 'gitOrigin': None, 'projectName':
'f3e65aae6b5ad3e1ea6b179b8ab55fd756aa363713766ebdfc4a0ed73c213872', 'initialCommit': None}, 'duration':
81619, 'exitReason': 'success', 'exitCode': 0}}]}
2024-09-03 12:50:18,560 | Unable to find Click Context for getting session_id.
2024-09-03 12:50:18,563 | Sending Telemetry: {'metrics': [{'events': {'requestId':
'5f1b1add-7b0c-46cb-8570-0de8f8ae6fe6', 'installationId': '8efec658-aae7-4e0d-948e-fbd0e429c52f',
'sessionId': '5d7cc645-67d4-42ea-8dbc-6cc33ae4e996', 'executionEnvironment': 'CLI', 'ci': False,
'pyversion': '3.12.5', 'samcliVersion': '1.122.0', 'commandName': 'sam pipeline bootstrap',
'metricSpecificAttributes': {'events': [{'event_name': 'SamConfigFileExtension', 'event_value': '.toml',
'thread_id': '25002e8ae45e43b3b2c5779bbdf87ce6', 'time_stamp': '2024-09-03 09:48:56.825', 'exception_name':
None}, {'event_name': 'SamConfigFileExtension', 'event_value': '.toml', 'thread_id':
'1cdd7f5c6ee54a77bfd0123e7169e5a8', 'time_stamp': '2024-09-03 09:48:56.839', 'exception_name': None},
{'event_name': 'SamConfigFileExtension', 'event_value': '.toml', 'thread_id':
'52bff1d33eb546d2b213b59d7bf8b73f', 'time_stamp': '2024-09-03 09:48:56.844', 'exception_name': None},
{'event_name': 'SamConfigFileExtension', 'event_value': '.toml', 'thread_id':
'd5f308f471f743f5b16f602fe2369c81', 'time_stamp': '2024-09-03 09:50:18.430', 'exception_name': None}]}}}]}
2024-09-03 12:50:19,588 | HTTPSConnectionPool(host='aws-serverless-tools-telemetry.us-west-2.amazonaws.com',
port=443): Read timed out. (read timeout=0.1)
2024-09-03 12:50:19,590 | HTTPSConnectionPool(host='aws-serverless-tools-telemetry.us-west-2.amazonaws.com',
port=443): Read timed out. (read timeout=0.1)

@hakandilek
Copy link
Author

In the generated .aws-sam/pipeline/pipelineconfig.toml file, I have:

version = 0.1
[default.pipeline_bootstrap.parameters]
oidc_provider_url = "https://own-gitlab.com/"
oidc_client_id = "https://own-gitlab.com"
...

@hnnasit
Copy link
Contributor

hnnasit commented Sep 12, 2024

Hi @hakandilek, thanks for reporting the issue and providing the details. I will try re-producing the issue on my side.

@hnnasit hnnasit added area/pipeline stage/bug-repro The issue/bug needs to be reproduced and removed stage/needs-triage Automatically applied to new issues and PRs, indicating they haven't been looked at. labels Sep 12, 2024
@hakandilek
Copy link
Author

Hi @hakandilek, thanks for reporting the issue and providing the details. I will try re-producing the issue on my side.

Hi @hnnasit, thanks for looking into it. Please let me know if you need further infos.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/pipeline stage/bug-repro The issue/bug needs to be reproduced
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hakandilek @hnnasit