AWS Toolkit Not aware of expired creds.

[jmezinko]

Describe the bug When SSO credentials expire the AWS toolkit does not pick up on this and believes the saved creds are valid. A restart of the application is required to re-authenticate.

To reproduce Let SSO creds expire or force a logout through the CLI. Attempt to utilize the SSO creds within JetBrains IntelliJ, creds will not work and there is no way to re-authenticate without restarting the app.

Expected behavior There should be a response within JetBrains IntelliJ to re-authenticate as such when restarting or connecting for the first time.

Your Environment

• OS: Mac/Windows
• JetBrains product: IntelliJ IDEA Ultimate
• JetBrains product version: IntelliJ IDEA 2020.3.2 (Ultimate Edition) Build #IU-203.7148.57, built on January 25, 2021
• AWS Toolkit version: 1.24-203
• SAM CLI version:
• JVM/Python version:

[abrooksv]

Forcing a log out does not actually invalidate the temporary credentials vended by SSO. The credentials will remain valid as long as the credentials from SSO are valid and in memory.

This differs from the CLI since the CLI can't store credentials in memory across CLI invocations.

If the credentials do expire though we should re-prompt you. Will try to reproduce that.

[abrooksv]

I was not able to reproduce this,

I ran aws sso logout and waited an hour for the STS SSO credentials (https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html) to expire.

After clicking refresh in the explorer, we re-prompted to open the web login due to the access token had been removed from the aws sso logout

[jmezinko]

If the creds expire for you normally, without forcing a logout, are you able to get access once again by clicking the refresh icon or do you have to restart the app?

[abrooksv]

When they are expired, the toolkit will re-trigger the login flow when it needs to make an AWS call. e.g. Refreshing the explorer

[lmeadors]

I see this daily - after using the plugin all day, my credentials will stop working (for my application), but when I hit refresh on the AWS Explorer pane, it appears to refresh, but my app still doesn't work. I'll verify again today, but it's been pretty consistent over the last week or two.

[abrooksv]

The AWS credentials within the IDE are kept in memory and stay working until they actually expire, SSO logout will prevent us from refreshing them when they do expire. If you start your application while in that state, the IDE will work, but your app will not (due to it will need the SSO access token, which was invalidated by the SSO logout) until the SSO login is forced again.

There is not a way to force the credentials to refresh early today through the IDE.

I hope I explained that well. please ask if it is not clear.

Edit: Note that an SSO login using the CLI is visible to the IDE, and vice versa

[lmeadors]

Just to clarify - I'm not intentionally doing an sso logout, it's just happening under normal use (or the credentials are expiring or something).

I'll watch this more closely today and try to provide more details, but right now, what I'm seeing is this:

• I login to the AWS start page in the morning
• I login to SSO using IDEA
• I run my app as I'm working on it throughout the day
• At some point late in the day, my app stops working
• Refreshing the AWS Explorer does not help (or trigger a new login)

Is that expected/known behavior?

[abrooksv]

Just to clarify - I'm not intentionally doing an sso logout, it's just happening under normal use (or the credentials are expiring or something).

I'll watch this more closely today and try to provide more details, but right now, what I'm seeing is this:

* I login to the AWS start page in the morning

* I login to SSO using IDEA

* I run my app as I'm working on it throughout the day

* At some point late in the day, my app stops working

* Refreshing the AWS Explorer does not help (or trigger a new login)

Is that expected/known behavior?

You can check the expiration time of the access token, it is in ~/.aws/sso/cache

We don't expose the expiration time of the credentials in the IDE. I am not sure if the credentials expire time is always less than the remaining time of the access token though.

[lmeadors]

Thanks for helping with this - there are two files there (here are the names and expiration dates):

• ab27f3726e1a1c6362547b9be151e8e3b92ba4d5.json ("2021-03-09T23:16:56.112368Z")
• aws-toolkit-jetbrains-client-id-us-east-1.json ("2021-06-03T21:26:11Z")

Currently, it's about 21:20 UTC - I suspect things will go bad for me around 23:17 when the first one expires.

[abrooksv]

The first file is the access token file. Once it expires you will need to redo SSO login in order to get new AWS temporary credentials.

[lmeadors]

It's 21:23 and as expected, my application will no longer run.

When I refresh the AWS Explorer, it flashes briefly and says "validating connection to aws", then shows the list of available resources (cloudformation, CW logs, etc...) again, but the application still won't run.

After restarting IDEA, the AWS Explorer pane now has the "Start SSO login" link on it. After clicking that, opening the browser, and signing into the CLI, the app runs again.

[abrooksv]

Okay, so it sounds like the AWS creds lasted longer than the access token. This kept the IDE running, but your app failed to convert the access token into AWS temporary creds.

[lmeadors]

Is that something that my application is responsible for? If so, how is that done?

[abrooksv]

The SDKs do not expose the SSO login flow today I believe, they can only retrieve credentials if you log in with the CLI or IDE first.

[lmeadors]

I see.

Can the plugin be modified to better detect (and recover from) this state?

[abrooksv]

I have confirmed with SSO team that the AWS credentials can last longer than the access token remaining expiration time.

Can the plugin be modified to better detect (and recover from) this state?

We currently do not have the APIs needed for this in the SDK. I can mark this as a feature request though so we can track discussing that with them.

@kiiadi What's your thoughts on this with respect to the connected execution feature set?

[lmeadors]

Thanks, gents.

@abrooksv - you mentioned that "an SSO login using the CLI is visible to the IDE, and vice versa" above - is that a feature of newer versions of the aws CLI? since I can reproduce this every 12 hours or so, I left myself logged in overnight and checked again this morning - as expected, the aws explorer is still working, but my app isn't (heh, not beating a dead horse, just being clear).

I logged into the aws console via sso, then did aws sso login - as expected, after the prompts, the CLI is working, but my app still isn't. My aws CLI version is "aws-cli/2.0.48 Python/3.7.4 Darwin/20.2.0 exe/x86_64".

I'll try updating it and see if that helps. ¯_(ツ)_/¯

If not, I'll restart IDEA and that should do the trick. Now that I have a workaround, it's not nearly as annoying. :)

[abrooksv]

How does your app retrieve AWS credentials and which SDK are you using?

[lmeadors]

I'm using the 2.16.11 version of the Java SDK - I set the aws.profile property on the VM (-Daws.profile=blah), and from there on, it's magic.

[abrooksv]

To clarify my statement about them being visible to each other: The CLI and the IDE should write/read the same access token file, not share the AWS credentials themselves.

The SDK should only read it the same file.

---

If you have the capability of debugging the SDK, I would place a breakpoint here and confirm it is using the same access token file and expiration info

https://github.com/aws/aws-sdk-java-v2/blob/master/services/sso/src/main/java/software/amazon/awssdk/services/sso/internal/SsoAccessTokenProvider.java#L48

The true litmus test would be that the CLI works, so your app should work. Since both should be converting the access token into AWS credentials from scratch (versus the IDE that still has valid ones)

[lmeadors]

Updating to aws-cli/2.1.30 makes aws sso login and my app play together nicely. So somewhere between 2.0.48 and 2.1.30 this behavior changed for the better.

So now, I have 2 viable workarounds (aws sso login or restart idea).

[abrooksv]

Updating to aws-cli/2.1.30 makes aws sso login and my app play together nicely. So somewhere between 2.0.48 and 2.1.30 this behavior changed for the better.

So now, I have 2 viable workarounds (aws sso login or restart idea).

Glad that made it work.

There was a bug in the CLI that wrote the timestamp in a format that made the Java SDK fail to parse so it was always treated as expired. (The IDE wrote the correct format out). It could have been that.

https://github.com/aws/aws-cli/pull/5826