Closed jwechsler10 closed 10 months ago
@jwechsler10 --
Sorry for the late response - are you still having this issue?
Yes, I am.
The issue seems to be in credentials/ssocreds/provider.go
getChacheFileName
is using hash value of startURL as the name while it seems like the names of the actual files are using some other convention.
func loadTokenFile(startURL string) (t token, err error) {
key, err := getCacheFileName(startURL)
if err != nil {
return token{}, awserr.New(ErrCodeSSOProviderInvalidToken, invalidTokenMessage, err)
}
fileBytes, err := ioutil.ReadFile(filepath.Join(defaultCacheLocation(), key))
I just recently faced this, for me just updating aws-cli fixed the issue.
current-version: aws-cli/2.13.36 Python/3.11.6 Darwin/22.6.0 exe/x86_64
Hi, I'm still facing this problem even with
I'm getting
not found, ResolveEndpointV2
from sts.GetCallerIdentity
and operation error ECS: ListClusters, get identity: get credentials: failed to refresh cached credentials, the SSO session has expired or is invalid: failed to read cached SSO token file, open /Users/bmz/.aws/sso/cache/788884265b3a819a27958949fded56a8894f083c.json: no such file or directory
from ecs.ListClusters
The aws config is
[profile profile_name]
sso_session = profile_name
sso_account_id = <number>
sso_role_name = ReadOnly
sso_region = eu-west-1
sso_start_url = <url>
[sso-session profile_name]
sso_start_url = <url>
sso_region = eu-west-1
sso_registration_scopes = sso:account:access
If I remove the duplicated lines in the config file like that
[profile profile_name]
sso_session = profile_name
sso_account_id = <number>
sso_role_name = ReadOnly
[sso-session profile_name]
sso_start_url = <url>
sso_region = eu-west-1
sso_registration_scopes = sso:account:access
I get profile "profile_name" is configured to use SSO but is missing required configuration: sso_region, sso_start_url
The test code is
package main
import (
"context"
"fmt"
"log"
"os"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/ecs"
)
func main() {
opts := []func(*config.LoadOptions) error{
config.WithRegion(("eu-west-1")),
config.WithSharedConfigProfile("profile_name"),
config.WithRetryer(func() aws.Retryer { return aws.NopRetryer{} }),
}
cfg, err := config.LoadDefaultConfig(context.Background(), opts...)
if err != nil {
log.Fatal(err)
}
err = os.Setenv("AWS_SDK_LOAD_CONFIG", "1")
if err != nil {
log.Fatal(err)
}
err = os.Setenv("AWS_PROFILE", "profile_name")
if err != nil {
log.Fatal(err)
}
ctx := context.Background()
stssvc := sts.NewFromConfig(cfg)
identity, err := stssvc.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
if err != nil {
log.Fatal(err)
}
fmt.Println(identity)
svc := ecs.NewFromConfig(cfg)
var tk *string
for {
cs, err := svc.ListClusters(ctx, &ecs.ListClustersInput{NextToken: tk})
if err != nil {
log.Fatal(err)
}
fmt.Println(cs.ClusterArns)
tk = cs.NextToken
if tk == nil {
break
}
}
}
Any suggestion?
@brunetto -- concerning "not found, ResolveEndpointV2" - see #2370
Hi @jwechsler10 and @jdeng, and others on the thread.
Unfortunately I'm not able to reproduce the issue. I'm able to start my sso session and use the SDK with that profile successfuly:
$ aws --version
aws-cli/2.13.38 Python/3.11.6 Darwin/22.6.0 exe/x86_64 prompt/off
$ cat config
[profile my-new-sso]
sso_session = my-new-sso-session
sso_account_id = REDACTED
sso_role_name = s3FullAccess
[sso-session my-new-sso-session]
sso_region = us-east-1
sso_start_url = https://d-REDACTED.awsapps.com/start
sso_registration_scopes = sso:account:access
$ aws sso login --profile my-new-sso
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-east-1.amazonaws.com/
Then enter the code:
REDACTED-REDACTED
Successfully logged into Start URL: https://d-REDACTED.awsapps.com/start
package main
import (
"context"
"fmt"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config" // github.com/aws/aws-sdk-go-v2/config v1.25.5
"github.com/aws/aws-sdk-go-v2/service/s3" // github.com/aws/aws-sdk-go-v2/service/s3 v1.44.0
)
func main() {
cfg, err := config.LoadDefaultConfig(context.Background(),
config.WithSharedConfigProfile("my-new-sso"),
config.WithRegion("us-east-1"),
config.WithClientLogMode(aws.LogRequestWithBody|aws.LogResponseWithBody),
)
if err != nil {
fmt.Println("Error loading configuration:", err)
return
}
svc := s3.NewFromConfig(cfg)
result, err := svc.ListBuckets(context.Background(), &s3.ListBucketsInput{})
if err != nil {
fmt.Println(err)
return
}
fmt.Printf("there are %v buckets", len(result.Buckets))
}
The SDK is successfully pulling the SDK token. Here are the wire logs:
SDK 2023/11/26 18:53:51 DEBUG Request
GET /federation/credentials?account_id=REDACTED&role_name=s3FullAccess HTTP/1.1
Host: portal.sso.us-east-1.amazonaws.com
User-Agent: aws-sdk-go-v2/1.23.1 os/macos lang/go#1.19.1 md/GOOS#darwin md/GOARCH#arm64 api/sso#1.17.3
Amz-Sdk-Invocation-Id: 15d5e0d3-604a-49a2-9326-8f5b75ecd312
Amz-Sdk-Request: attempt=1; max=3
X-Amz-Sso_bearer_token: REDACTED
Accept-Encoding: gzip
SDK 2023/11/26 18:53:53 DEBUG Response
HTTP/2.0 200 OK
Content-Length: 1032
Access-Control-Expose-Headers: RequestId
Access-Control-Expose-Headers: x-amzn-RequestId
Cache-Control: no-cache
Content-Type: application/json
Date: Mon, 27 Nov 2023 02:53:53 GMT
Requestid: REDACTED
Server: AWS SSO
X-Amzn-Requestid: REDACTED
{"roleCredentials":{"accessKeyId":"REDACTED","secretAccessKey":"REDACTED","sessionToken":"REDACTED","expiration":1701057232000}}
SDK 2023/11/26 18:53:53 DEBUG Request
GET / HTTP/1.1
Host: s3.us-east-1.amazonaws.com
User-Agent: aws-sdk-go-v2/1.23.1 os/macos lang/go#1.19.1 md/GOOS#darwin md/GOARCH#arm64 api/s3#1.44.0
Accept-Encoding: identity
Amz-Sdk-Invocation-Id: ca024226-4f12-4af2-acde-0086b7a2b8b4
Amz-Sdk-Request: attempt=1; max=3
Authorization: AWS4-HMAC-SHA256 Credential=REDACTED/20231127/us-east-1/s3/aws4_request, SignedHeaders=accept-encoding;amz-sdk-invocation-id;host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=REDACTED
X-Amz-Content-Sha256: REDACTED
X-Amz-Date: 20231127T025353Z
X-Amz-Security-Token: REDACTED
SDK 2023/11/26 18:53:53 DEBUG Response
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Mon, 27 Nov 2023 02:53:54 GMT
Server: AmazonS3
X-Amz-Id-2: REDACTED
X-Amz-Request-Id: REDACTED
It would be helpful if one of you can look over my flow and see If I have something setup differently than you do. You might want to try and enable the wire logger similar to what I did to try and see if there's anything helpful in there. I would also suggest that you look at all of your versions and make sure they are all up to date.
All the best, Ran~
I've been running into this same problem. For me the fix was to remove the trailing #
from the sso_start_url.
Updating the version of my AWS CLI and then running aws sso login
with the profile
specified solved the issue. Thanks for the help!
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
I've been running into this same problem. For me the fix was to remove the trailing
#
from the sso_start_url.
This was my issue as well. It was happening with Terraform, weird that only happened when using s3 backend and not to the main provider
Had this happen to me, updated the AWS CLI (aws-cli/2.17.60 -> aws-cli/2.17.62), updating go modules to latest and running again aws sso login ...
solved it for me...
Describe the bug
When trying to use an AWS profile with AWS IAM Identity Center, the SDK is unable to find the cached SSO token file with the cached credentials.
Expected Behavior
I would expect that the SDK is able to use the SSO profile I have configured and find the cached credentials and use them to make a request.
Current Behavior
operation error IAM: ListGroups, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, failed to read cached SSO token file, open ~/.aws/sso/cache/9ed037b84943c4caa3a520e48a5540181c46c98c.json: no such file or directory
Reproduction Steps
Possible Solution
No response
Additional Information/Context
I have always made sure to run
aws sso login
before running my script to make sure my credentials are valid.My aws config file is setup as follows, redacting the real start URL, role names and account numbers:
I have tried the following:
running
aws sso login
runningrm -rf ~/.aws/sso/cache
and then runningaws --profile sandbox sso login
I have verified that the default profile is working as expected as that my token file is at
~/.aws/sso/cache/e3149f93119ef3ca1319b67a45b4c0563fc79ab5.json
AWS Go SDK V2 Module Versions Used
github.com/aws/aws-sdk-go-v2/config v1.18.33 github.com/aws/aws-sdk-go-v2/service/iam v1.22.2
Compiler and Version used
go version go1.20.7 darwin/arm64
Operating System and version
MacOS 13.5