search

aws / aws-sam-cli

CLI tool to build, test, debug, and deploy Serverless applications using AWS SAM
https://aws.amazon.com/serverless/sam/
Apache License 2.0
6.49k stars 1.17k forks source link

Bug: sam deploy complains SSO session is invalid even though aws sso login was run #4865

Closed bradthurber closed 1 year ago

bradthurber commented 1 year ago

Description:

Running

aws sso login --profile sandbox

followed by

sam deploy --guided --profile sandbox

fails with

Error: The SSO session associated with this profile has expired or is otherwise invalid. To refresh this SSO session run aws sso login with the corresponding profile.

Steps to reproduce:

$ aws sso login --profile sandbox
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

SFSX-XHMS
gio: https://device.sso.us-east-1.amazonaws.com/?user_code=SFSX-XHMS: Operation not supported
Successfully logged into Start URL: https://REDACTED.awsapps.com/start#/

$ sam deploy --guided --profile sandbox

Configuring SAM deploy
======================

        Looking for config file [samconfig.toml] :  Found
        Reading default arguments  :  Success

        Setting default arguments for 'sam deploy'
        =========================================
        Stack Name [rds-start-stop]:
        #Shows you resources changes to be deployed and require a 'Y' to initiate deploy
        Confirm changes before deploy [Y/n]:
        #SAM needs permission to be able to create roles to connect to the resources in your template
        Allow SAM CLI IAM role creation [Y/n]:
        #Preserves the state of previously provisioned resources when an operation fails
        Disable rollback [y/N]:
        Save arguments to configuration file [Y/n]:
        SAM configuration file [samconfig.toml]:
        SAM configuration environment [default]: sandbox-thurber

        Looking for resources needed for deployment:
Error: The SSO session associated with this profile has expired or is otherwise invalid. To refresh this SSO session run aws sso login with the corresponding profile.

$ aws s3 ls --profile sandbox
2022-11-30 12:47:48 bucket
2022-11-13 21:00:08 bucket
2022-11-29 19:31:37 etc

$

Observed result:

I get an error about the profile being expired even though the profile is valid

Expected result:

Expected the SAM app to be reployed

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

  1. OS: Ubuntu 22
  2. sam --version:SAM CLI, version 1.76.0
  3. AWS region: us-east-1

$ aws --version aws-cli/2.11.2 Python/3.11.2 Linux/5.15.90.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.22 prompt/off

# Paste the output of `sam --info` here

{ "version": "1.76.0", "system": { "python": "3.7.10", "os": "Linux-5.15.90.1-microsoft-standard-WSL2-x86_64-with-debian-bookworm-sid" }, "additional_dependencies": { "docker_engine": "20.10.23", "aws_cdk": "Not available", "terraform": "Not available" } } Add --debug flag to command you are running

$ sam deploy --guided --profile sandbox --debug --region us-east-1
2023-03-15 08:59:29,883 | Config file location: /home/brad/dev/rds/CsRdsAutoStartStop/samconfig.toml
2023-03-15 08:59:29,884 | Loading configuration values from [default.['deploy'].parameters] (env.command_name.section) in config file at '/home/brad/dev/rds/CsRdsAutoStartStop/samconfig.toml'...
2023-03-15 08:59:29,888 | Configuration values successfully loaded.
2023-03-15 08:59:29,888 | Configuration values are: {'stack_name': 'rds-start-stop', 'capabilities': 'CAPABILITY_IAM', 'confirm_changeset': True, 'resolve_s3': True}
2023-03-15 08:59:29,907 | Using SAM Template at /home/brad/dev/rds/CsRdsAutoStartStop/template.yaml
2023-03-15 08:59:29,964 | Using config file: samconfig.toml, config environment: default
2023-03-15 08:59:29,964 | Expand command line arguments to:
2023-03-15 08:59:29,964 | --guided --template_file=/home/brad/dev/rds/CsRdsAutoStartStop/template.yaml --fail_on_empty_changeset --confirm_changeset --on_failure=ROLLBACK --stack_name=rds-start-stop --resolve_s3 --capabilities=['CAPABILITY_IAM']
2023-03-15 08:59:30,133 | There is no customer defined id or cdk path defined for resource AutoStartRDSLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:30,133 | There is no customer defined id or cdk path defined for resource AutoStopRDSLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:30,133 | There is no customer defined id or cdk path defined for resource RDSStopWeekDayLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:30,133 | There is no customer defined id or cdk path defined for resource RDSStartWeekDayLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:30,133 | There is no customer defined id or cdk path defined for resource RDSStopWeekEndLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:30,133 | There is no customer defined id or cdk path defined for resource RDSStartWeekEndLambda, so we will use the resource logical id as the resource id

Configuring SAM deploy
======================

        Looking for config file [samconfig.toml] :  Found
        Reading default arguments  :  Success

        Setting default arguments for 'sam deploy'
        =========================================
        Stack Name [rds-start-stop]:
        AWS Region [us-east-1]:
        Parameter AutoStartRDSSchedule [cron(0 13 ? * MON-FRI *)]:
        Parameter AutoStopRDSSchedule [cron(0 1 ? * MON-FRI *)]:
        Parameter RDSStartStopWeekDaySchedule [cron(*/5 * ? * MON-FRI *)]:
        Parameter RDSStartStopWeekEndSchedule [cron(*/5 * ? * SAT-SUN *)]:
        Parameter RegionTZ [UTC]:
2023-03-15 08:59:35,843 | Collected default values for parameters: {'AutoStartRDSSchedule': 'cron(0 13 ? * MON-FRI *)', 'AutoStopRDSSchedule': 'cron(0 1 ? * MON-FRI *)', 'RDSStartStopWeekDaySchedule': 'cron(*/5 * ? * MON-FRI *)', 'RDSStartStopWeekEndSchedule': 'cron(*/5 * ? * SAT-SUN *)', 'RegionTZ': 'UTC'}
2023-03-15 08:59:35,851 | There is no customer defined id or cdk path defined for resource AutoStartRDSLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:35,851 | There is no customer defined id or cdk path defined for resource AutoStopRDSLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:35,851 | There is no customer defined id or cdk path defined for resource RDSStopWeekDayLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:35,851 | There is no customer defined id or cdk path defined for resource RDSStartWeekDayLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:35,851 | There is no customer defined id or cdk path defined for resource RDSStopWeekEndLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:35,851 | There is no customer defined id or cdk path defined for resource RDSStartWeekEndLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:35,852 | 0 stacks found in the template
        #Shows you resources changes to be deployed and require a 'Y' to initiate deploy
        Confirm changes before deploy [Y/n]:
        #SAM needs permission to be able to create roles to connect to the resources in your template
        Allow SAM CLI IAM role creation [Y/n]:
        #Preserves the state of previously provisioned resources when an operation fails
        Disable rollback [y/N]:
2023-03-15 08:59:38,471 | Collected default values for parameters: {'AutoStartRDSSchedule': 'cron(0 13 ? * MON-FRI *)', 'AutoStopRDSSchedule': 'cron(0 1 ? * MON-FRI *)', 'RDSStartStopWeekDaySchedule': 'cron(*/5 * ? * MON-FRI *)', 'RDSStartStopWeekEndSchedule': 'cron(*/5 * ? * SAT-SUN *)', 'RegionTZ': 'UTC'}
2023-03-15 08:59:38,478 | There is no customer defined id or cdk path defined for resource AutoStartRDSLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:38,478 | There is no customer defined id or cdk path defined for resource AutoStopRDSLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:38,478 | There is no customer defined id or cdk path defined for resource RDSStopWeekDayLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:38,478 | There is no customer defined id or cdk path defined for resource RDSStartWeekDayLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:38,478 | There is no customer defined id or cdk path defined for resource RDSStopWeekEndLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:38,478 | There is no customer defined id or cdk path defined for resource RDSStartWeekEndLambda, so we will use the resource logical id as the resource id
2023-03-15 08:59:38,479 | 6 resources found in the stack
2023-03-15 08:59:38,479 | Found Serverless function with name='AutoStartRDSLambda' and CodeUri='./lambda/auto_start_rds_instance.py'
2023-03-15 08:59:38,479 | --base-dir is not presented, adjusting uri ./lambda/auto_start_rds_instance.py relative to /home/brad/dev/rds/CsRdsAutoStartStop/template.yaml
2023-03-15 08:59:38,479 | Found Serverless function with name='AutoStopRDSLambda' and CodeUri='./lambda/auto_stop_rds_instance.py'
2023-03-15 08:59:38,479 | --base-dir is not presented, adjusting uri ./lambda/auto_stop_rds_instance.py relative to /home/brad/dev/rds/CsRdsAutoStartStop/template.yaml
2023-03-15 08:59:38,479 | Found Serverless function with name='RDSStopWeekDayLambda' and CodeUri='./lambda/rds_stop_week_day.py'
2023-03-15 08:59:38,479 | --base-dir is not presented, adjusting uri ./lambda/rds_stop_week_day.py relative to /home/brad/dev/rds/CsRdsAutoStartStop/template.yaml
2023-03-15 08:59:38,479 | Found Serverless function with name='RDSStartWeekDayLambda' and CodeUri='./lambda/rds_start_week_day.py'
2023-03-15 08:59:38,479 | --base-dir is not presented, adjusting uri ./lambda/rds_start_week_day.py relative to /home/brad/dev/rds/CsRdsAutoStartStop/template.yaml
2023-03-15 08:59:38,479 | Found Serverless function with name='RDSStopWeekEndLambda' and CodeUri='./lambda/rds_stop_week_end.py'
2023-03-15 08:59:38,479 | --base-dir is not presented, adjusting uri ./lambda/rds_stop_week_end.py relative to /home/brad/dev/rds/CsRdsAutoStartStop/template.yaml
2023-03-15 08:59:38,479 | Found Serverless function with name='RDSStartWeekEndLambda' and CodeUri='./lambda/rds_start_week_end.py'
2023-03-15 08:59:38,479 | --base-dir is not presented, adjusting uri ./lambda/rds_start_week_end.py relative to /home/brad/dev/rds/CsRdsAutoStartStop/template.yaml
2023-03-15 08:59:38,479 | 6 resources found in the stack
2023-03-15 08:59:38,479 | Found Serverless function with name='AutoStartRDSLambda' and CodeUri='./lambda/auto_start_rds_instance.py'
2023-03-15 08:59:38,480 | --base-dir is not presented, adjusting uri ./lambda/auto_start_rds_instance.py relative to /home/brad/dev/rds/CsRdsAutoStartStop/template.yaml
2023-03-15 08:59:38,480 | Found Serverless function with name='AutoStopRDSLambda' and CodeUri='./lambda/auto_stop_rds_instance.py'
2023-03-15 08:59:38,480 | --base-dir is not presented, adjusting uri ./lambda/auto_stop_rds_instance.py relative to /home/brad/dev/rds/CsRdsAutoStartStop/template.yaml
2023-03-15 08:59:38,480 | Found Serverless function with name='RDSStopWeekDayLambda' and CodeUri='./lambda/rds_stop_week_day.py'
2023-03-15 08:59:38,480 | --base-dir is not presented, adjusting uri ./lambda/rds_stop_week_day.py relative to /home/brad/dev/rds/CsRdsAutoStartStop/template.yaml
2023-03-15 08:59:38,480 | Found Serverless function with name='RDSStartWeekDayLambda' and CodeUri='./lambda/rds_start_week_day.py'
2023-03-15 08:59:38,480 | --base-dir is not presented, adjusting uri ./lambda/rds_start_week_day.py relative to /home/brad/dev/rds/CsRdsAutoStartStop/template.yaml
2023-03-15 08:59:38,480 | Found Serverless function with name='RDSStopWeekEndLambda' and CodeUri='./lambda/rds_stop_week_end.py'
2023-03-15 08:59:38,480 | --base-dir is not presented, adjusting uri ./lambda/rds_stop_week_end.py relative to /home/brad/dev/rds/CsRdsAutoStartStop/template.yaml
2023-03-15 08:59:38,480 | Found Serverless function with name='RDSStartWeekEndLambda' and CodeUri='./lambda/rds_start_week_end.py'
2023-03-15 08:59:38,480 | --base-dir is not presented, adjusting uri ./lambda/rds_start_week_end.py relative to /home/brad/dev/rds/CsRdsAutoStartStop/template.yaml
2023-03-15 08:59:38,480 | No function or layer definition found with code sign config, skipping
        Save arguments to configuration file [Y/n]: y
        SAM configuration file [samconfig.toml]:
        SAM configuration environment [default]: sandbox-thurber

        Looking for resources needed for deployment:
2023-03-15 08:59:45,741 | Telemetry endpoint configured to be https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics
2023-03-15 08:59:45,750 | Sending Telemetry: {'metrics': [{'commandRun': {'requestId': '263b0832-e09e-462f-86e6-f8627731c719', 'installationId': '13b475ca-9dcc-4c98-8c7c-eaeff20129c1', 'sessionId': '2fcc9822-84f5-4911-a844-d4d569db0b72', 'executionEnvironment': 'CLI', 'ci': False, 'pyversion': '3.7.10', 'samcliVersion': '1.76.0', 'awsProfileProvided': True, 'debugFlagProvided': True, 'region': 'us-east-1', 'commandName': 'sam deploy', 'metricSpecificAttributes': {'projectType': 'CFN', 'gitOrigin': None, 'projectName': '0f0a1aefe0e208082d599fd79707ae5e807d6f98c9e8a53cd65e88338c1737b1', 'initialCommit': None}, 'duration': 15777, 'exitReason': 'SDKError', 'exitCode': 1}}]}
2023-03-15 08:59:46,123 | Telemetry response: 200
Error: The SSO session associated with this profile has expired or is otherwise invalid. To refresh this SSO session run aws sso login with the corresponding profile.
bradthurber commented 1 year ago

Looks like this may be caused by expires_at token not being set further up the chain

See https://github.com/aws/aws-sdk/issues/531

bradthurber commented 1 year ago

As a workaround, I can go into Visual Studio Code with code . and authenticate as my SSO user using the AWS Tools Explorer. Once I do that, I can go right back to the command prompt and run sam deploy --guided --profile sandbox --region us-east-1 and it just works. An hour or so later I have to do the workaround again.

hawflau commented 1 year ago

Thanks for raising the issue. As you pointed out, it's probably a SDK/boto3 issue. But let us investigate further to understand if there's anything can be done on the SAM CLI side.

bradthurber commented 1 year ago

I think this may be working now but I'm hesitant to close it because people still seem to be having problems upstream in the AWS CLI.

bradthurber commented 1 year ago

I can no longer reproduce this issue. I'm assuming it was fixed somewhere so I will close it.

My current SAM info:

brad@brad13600:~$ sam --info
{
  "version": "1.80.0",
  "system": {
    "python": "3.7.10",
    "os": "Linux-5.15.90.1-microsoft-standard-WSL2-x86_64-with-debian-bookworm-sid"
  },
  "additional_dependencies": {
    "docker_engine": "20.10.24",
    "aws_cdk": "Not available",
    "terraform": "Not available"
  }
}
github-actions[bot] commented 1 year ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.