Unable to execute AWS CLI using --exec #294
Description
When attempting to wrap an AWS CLI command using the --exec flag on Windows(Enterprise Version 10.0.26100 Build 26100) fails. This has been confirmed across multiple Windows machines. This does not fail in WSL or Linux use case. Attempting with the most recent 2.5.1 release (which shows it's still version 2.5.0) doesn't work either.
PS C:\> okta-aws-cli --version
okta-aws-cli version 2.5.0
PS C:\> okta-aws-cli web --profile [REDACTED] --exec -- aws --version
Web browser will open the following URL to begin Okta device authorization for the AWS CLI
https://[REDACTED]/activate?user_code=[REDACTED]
IdP: [REDACTED] Role: [REDACTED]WARNING: Commented out "[REDACTED]" profile keys "aws_security_token", "x_principal_arn", "x_security_token_expires". Uncomment if third party tools use these values.
Updated profile "[REDACTED]" in credentials file "C:\\Users\\[REDACTED]\\.aws\\credentials".
error running process
aws --version
Traceback (most recent call last):
File "aws.py", line 19, in <module>
File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
File "PyInstaller\loader\pyimod02_importers.py", line 384, in exec_module
File "awscli\clidriver.py", line 78, in <module>
File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
File "PyInstaller\loader\pyimod02_importers.py", line 384, in exec_module
File "awscli\telemetry.py", line 31, in <module>
File "pathlib\_abc.py", line 758, in home
File "pathlib\_local.py", line 808, in expanduser
RuntimeError: Could not determine home directory.
[PYI-28292:ERROR] Failed to execute script 'aws' due to unhandled exception!
Error: exit status 1
Usage:
okta-aws-cli web [flags]
Flags:
-k, --all-profiles Collect all profiles for a given IdP (implies aws-credentials file output format)
-a, --aws-acct-fed-app-id string AWS Account Federation app ID
-i, --aws-iam-idp string Preset IAM Identity Provider ARN
-h, --help help for web
-b, --open-browser Automatically open the activation URL with the system web browser
-m, --open-browser-command string Automatically open the activation URL with the given web browser command
-q, --qr-code Print QR Code of activation URL
Global Flags:
-w, --aws-credentials string Path to AWS credentials file, only valid with format "aws-credentials" (default "C:\\Users\\[REDACTED]\\.aws\\credentials")
-r, --aws-iam-role string Preset IAM Role ARN
-n, --aws-region string Preset AWS Region
-s, --aws-session-duration string Session duration for role.
-e, --cache-access-token Cache Okta access token to reduce need for opening grant URL
-g, --debug Print operational information to the screen for debugging purposes
-d, --debug-api-calls Verbosely print all API calls/responses to the screen
-j, --exec Execute any shell commands after the '--' CLI arguments termination
-x, --expiry-aws-variables Emit x_security_token_expires value in profile block of AWS credentials file
-f, --format string Output format. [aws-credentials|env-var|noop|process-credentials]
-l, --legacy-aws-variables Emit deprecated AWS Security Token value. WARNING: AWS CLI deprecated this value in November 2014 and is no longer documented
-c, --oidc-client-id string OIDC Client ID - web: OIDC native application, m2m: API service application
-o, --org-domain string Okta Org Domain
-p, --profile string AWS Profile
-y, --short-user-agent Set CLI's User-Agent header to okta-aws-cli so it can be used in a policy rule
-z, --write-aws-credentials Write the created/updated profile to the "C:\\Users\\[REDACTED]\\.aws\\credentials" file. WARNING: This can inadvertently remove dangling comments and extraneous formatting from the creds file.
Running AWS on it's own works fine.
PS C:\> aws --version
aws-cli/2.32.6 Python/3.13.9 Windows/11 exe/AMD64