Fix AWS SSO for Bedrock profile auth in containers
All checks were successful
Build App / build-macos (push) Successful in 2m29s
Build App / build-windows (push) Successful in 3m56s
Build App / build-linux (push) Successful in 4m42s
Build Container / build-container (push) Successful in 54s
Build App / sync-to-github (push) Successful in 10s
All checks were successful
Build App / build-macos (push) Successful in 2m29s
Build App / build-windows (push) Successful in 3m56s
Build App / build-linux (push) Successful in 4m42s
Build Container / build-container (push) Successful in 54s
Build App / sync-to-github (push) Successful in 10s
SSO login was broken in containers due to three issues: the sso_session indirection format not being resolved by Claude Code's AWS SDK, SSO detection only checking sso_start_url (missing sso_session), and the OAuth callback port not being accessible from inside the container. This fix runs SSO login on the host OS (where the browser and ports work natively) by having the container emit a marker that the Tauri app detects in terminal output, triggering host-side `aws sso login`. The entrypoint also inlines sso_session properties into profile sections and injects awsAuthRefresh into Claude Code config for mid-session refresh. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -119,6 +119,9 @@ RUN chmod +x /usr/local/bin/audio-shim \
|
||||
&& ln -sf /usr/local/bin/audio-shim /usr/local/bin/rec \
|
||||
&& ln -sf /usr/local/bin/audio-shim /usr/local/bin/arecord
|
||||
|
||||
COPY triple-c-sso-refresh /usr/local/bin/triple-c-sso-refresh
|
||||
RUN chmod +x /usr/local/bin/triple-c-sso-refresh
|
||||
|
||||
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
|
||||
RUN chmod +x /usr/local/bin/entrypoint.sh
|
||||
COPY triple-c-scheduler /usr/local/bin/triple-c-scheduler
|
||||
|
||||
@@ -84,6 +84,31 @@ if [ -d /tmp/.host-aws ]; then
|
||||
# Ensure writable cache directories exist
|
||||
mkdir -p /home/claude/.aws/sso/cache /home/claude/.aws/cli/cache
|
||||
chown -R claude:claude /home/claude/.aws/sso /home/claude/.aws/cli
|
||||
|
||||
# Inline sso_session properties into profile sections so AWS SDKs that don't
|
||||
# support the sso_session indirection format can resolve sso_region, etc.
|
||||
if [ -f /home/claude/.aws/config ]; then
|
||||
python3 -c '
|
||||
import configparser, sys
|
||||
c = configparser.ConfigParser()
|
||||
c.read(sys.argv[1])
|
||||
for sec in c.sections():
|
||||
if not sec.startswith("profile ") and sec != "default":
|
||||
continue
|
||||
session = c.get(sec, "sso_session", fallback=None)
|
||||
if not session or c.has_option(sec, "sso_start_url"):
|
||||
continue
|
||||
ss = f"sso-session {session}"
|
||||
if not c.has_section(ss):
|
||||
continue
|
||||
for key in ("sso_start_url", "sso_region", "sso_registration_scopes"):
|
||||
val = c.get(ss, key, fallback=None)
|
||||
if val:
|
||||
c.set(sec, key, val)
|
||||
with open(sys.argv[1], "w") as f:
|
||||
c.write(f)
|
||||
' /home/claude/.aws/config 2>/dev/null || true
|
||||
fi
|
||||
fi
|
||||
|
||||
# ── Git credential helper (for HTTPS token) ─────────────────────────────────
|
||||
@@ -164,6 +189,24 @@ if [ -n "$MCP_SERVERS_JSON" ]; then
|
||||
unset MCP_SERVERS_JSON
|
||||
fi
|
||||
|
||||
# ── AWS SSO auth refresh command ──────────────────────────────────────────────
|
||||
# When set, inject awsAuthRefresh into ~/.claude.json so Claude Code calls
|
||||
# triple-c-sso-refresh when AWS credentials expire mid-session.
|
||||
if [ -n "$AWS_SSO_AUTH_REFRESH_CMD" ]; then
|
||||
CLAUDE_JSON="/home/claude/.claude.json"
|
||||
if [ -f "$CLAUDE_JSON" ]; then
|
||||
MERGED=$(jq --arg cmd "$AWS_SSO_AUTH_REFRESH_CMD" '.awsAuthRefresh = $cmd' "$CLAUDE_JSON" 2>/dev/null)
|
||||
if [ -n "$MERGED" ]; then
|
||||
printf '%s\n' "$MERGED" > "$CLAUDE_JSON"
|
||||
fi
|
||||
else
|
||||
printf '{"awsAuthRefresh":"%s"}\n' "$AWS_SSO_AUTH_REFRESH_CMD" > "$CLAUDE_JSON"
|
||||
fi
|
||||
chown claude:claude "$CLAUDE_JSON"
|
||||
chmod 600 "$CLAUDE_JSON"
|
||||
unset AWS_SSO_AUTH_REFRESH_CMD
|
||||
fi
|
||||
|
||||
# ── Docker socket permissions ────────────────────────────────────────────────
|
||||
if [ -S /var/run/docker.sock ]; then
|
||||
DOCKER_GID=$(stat -c '%g' /var/run/docker.sock)
|
||||
|
||||
33
container/triple-c-sso-refresh
Executable file
33
container/triple-c-sso-refresh
Executable file
@@ -0,0 +1,33 @@
|
||||
#!/bin/bash
|
||||
# Signal Triple-C to perform host-side AWS SSO login, then sync the result.
|
||||
CACHE_DIR="$HOME/.aws/sso/cache"
|
||||
HOST_CACHE="/tmp/.host-aws/sso/cache"
|
||||
MARKER="/tmp/.sso-refresh-marker"
|
||||
|
||||
touch "$MARKER"
|
||||
|
||||
# Emit marker for Triple-C app to detect in terminal output
|
||||
echo "###TRIPLE_C_SSO_REFRESH###"
|
||||
echo "Waiting for SSO login to complete on host..."
|
||||
|
||||
TIMEOUT=120
|
||||
ELAPSED=0
|
||||
while [ $ELAPSED -lt $TIMEOUT ]; do
|
||||
if [ -d "$HOST_CACHE" ]; then
|
||||
NEW=$(find "$HOST_CACHE" -name "*.json" -newer "$MARKER" 2>/dev/null | head -1)
|
||||
if [ -n "$NEW" ]; then
|
||||
mkdir -p "$CACHE_DIR"
|
||||
cp -f "$HOST_CACHE"/*.json "$CACHE_DIR/" 2>/dev/null
|
||||
chown -R "$(whoami)" "$CACHE_DIR"
|
||||
echo "AWS SSO credentials refreshed successfully."
|
||||
rm -f "$MARKER"
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
sleep 2
|
||||
ELAPSED=$((ELAPSED + 2))
|
||||
done
|
||||
|
||||
echo "SSO refresh timed out (${TIMEOUT}s). Please try again."
|
||||
rm -f "$MARKER"
|
||||
exit 1
|
||||
Reference in New Issue
Block a user