InvalidGrantException: UnknownError

[Frosty1442]

System details (run the AWS: About Toolkit command)

OS: Linux x64 6.0.12-300.fc37.x86_64 Visual Studio Code extension host: 1.74.1 AWS Toolkit: 1.60.0 node: 16.14.2 electron: 19.1.8

Question

I am able to connect using IAM Identity Center just fine from the AWS CLI, but when I try to do so from the AWS Toolkit extension I get the following error message after pressing "Allow" in SSO:

aws.auth.addConnection: InvalidGrantException: UnknownError

Since this is my first time using the AWS Toolkit for VSCode, I am not sure what could be causing the above error and I am looking for troubleshooting steps.

Thanks!

[JadenSimon]

I believe this is due to an issue with how the Toolkit creates the connection. Do you know which region your IAM Identity Center start URL is in? If it's not us-east-1 then that could cause problems. The other issue may be related to the Toolkit requesting CodeWhisperer scopes. Both problems should be fixed by #3023.

[BwL1289]

Also experiencing this. Commenting for updates. Believe this is related to/duplicate of 3009.

FYI - my IAM identity center start URL is in us-east-1

[malikalimoekhamedov]

Same issue.

[dvfariaf-bops]

Same Issue

[droddy]

Same Issue

[ChristianTashev]

same issue

[robert-archibald-wolfe]

Same Issue

[cosmincatalin]

Same here

[justinmk3]

Thanks for the reports. @droddy @ChristianTashev @Port-Wallis-Technologies @cosmincatalin can you describe the steps that preceded the issue? We are trying to narrow down the circumstances when this happens. "Invalid grant" can be returned by the auth service under various conditions.

Can you confirm that AWS CLI works and is using the same region as AWS Toolkit?

[cosmincatalin]

The repository I use for reference is https://github.com/cosmincatalin/rust-playground. I start a codespace environment based on the .devcontainer in said repository. I use the latest version of the toolkit.

Trying to configure from the CLI is successful

[robert-archibald-wolfe]

I follow the same steps as above but get slightly different results which is leading me to suspect a config issue on my part or the plugin needed an upgrade.

Firstly, I will note that CLI is not functioning as I would expect so it is unsurprising that VSCode is confused.

So, off the top, the instructions here are incorrect as I see them:

but I see this

so that is one bit of weirdness.

I also do not see a sso-session section in my .aws/config file although I do see the "abc" profile set up

and yes, this is after I login with the abc profile

Now, the final bit of weirdness. If I select my root account from the available list (which no is not good practice) I see everything i expect (a bunch of buckets). The other accounts that I have used all have the policy "AWSS3FullAccess" attached to them and so SHOULD return the same results from an S3 ls but they get an empty list (as seen above)

My thinking is that aws configure sso is doing something weird and that is hopelessly confusing vscode

[robert-archibald-wolfe]

oh, and I am always happy to answer questions.

[justinmk3]

@cosmincatalin @Port-Wallis-Technologies it may be worth trying aws configure sso-session (docs) instead of aws configure sso (docs). And also confirm that you have the latest aws (2.11.7).

[robert-archibald-wolfe]

i can confirm that I do NOT have the latest cli ... 2.8.3 is where I am. Guess that is what I get for using winget to install things. Hold tight and I will get this fixed

[robert-archibald-wolfe]

so .. vscode blows up badly trying to create a new connection but if I use the configured ROOT profile (yes bad practice) it works fine

Edited to add, this is the result of the attempt to create a new profile in vscode.

Now suspecting a privileges issue. Is there a role/policy that needs to be included?

[cosmincatalin]

@Port-Wallis-Technologies, I've tried with root credentials without success.

[johnfischbeck]

I've got the same issue. Any update on resolution?

[yfengBTI]

Same issue here. The configured credentials in .aws/config work but the impromptu connection attempts gives the InvalidGrantException error

[cosmincatalin]

Later edit: In fact it does not work, it only appeared to work due to some manual configurations I had active.

Original: With the release 1.68.0, it seems to work fine for me.

[OrYairWaterCooler]

1.68.0 did not fix the issue for me

[justinmk3]

With AWS Toolkit 1.68, you can now choose a region for the SSO connection in AWS Toolkit. Please try re-creating the "IAM Identity Center" connection in AWS Toolkit and select the region specific to your SSO org.

Because "invalid grant" may be returned by the server for other reasons, this won't solve all cases, but please let us know if it helps!

[cosmincatalin]

I've noticed the region selector, however, it did not seem to change the unfortunate outcome. But, if I initially configure the ~/.aws/config using aws configure sso, the profile will appear in the AWS ToolKit, that did not happen before, so there is some progress.

[dvfariaf-bops]

Issue continues after 1.68.0

My logs say that the token is expired, but I just went through the process of authentication on my web browser when started with the toolkit.

2023-04-13 13:11:38 [ERROR]: log level: info
2023-04-13 13:11:39 [INFO]: Retrieving AWS endpoint data
2023-04-13 13:11:39 [INFO]: OS: Linux x64 5.10.167-147.601.amzn2.x86_64
2023-04-13 13:11:39 [INFO]: Visual Studio Code extension host:  1.77.2
2023-04-13 13:11:39 [INFO]: AWS Toolkit:  1.68.0
2023-04-13 13:11:39 [INFO]: node: 16.14.2
2023-04-13 13:12:30 [ERROR]: _aws.auth.reauthenticate: Error: Unable to authenticate connection
     -> ExpiredToken: The security token included in the request is expired (statusCode: 403; requestId: c181a9ce-0719-4ad8-9f96-f8438ddcbdbc)
2023-04-13 13:12:33 [ERROR]: _aws.auth.reauthenticate: Error: Unable to authenticate connection
     -> ExpiredToken: The security token included in the request is expired (statusCode: 403; requestId: 4882e00a-550e-4a56-9209-1c9ff42f538f)
2023-04-13 13:12:34 [ERROR]: aws.login: TypeError: r.listConnections is not a function
2023-04-13 13:12:34 [ERROR]: aws.login: TypeError: r.listConnections is not a function
2023-04-13 13:12:48 [WARN]: AwsContext: no default region in credentials profile, falling back to us-east-1: profile:default
2023-04-13 13:14:09 [ERROR]: API response (oidc.us-east-1.amazonaws.com /token): {
  name: 'InvalidGrantException',
  '$fault': 'client',
  '$metadata': {
    httpStatusCode: 400,
    requestId: 'XXXXXX',
    extendedRequestId: undefined,
    cfId: undefined
  },
  error: 'invalid_grant',
  error_description: 'Invalid grant provided',
  message: 'UnknownError'
}
2023-04-13 13:14:09 [ERROR]: aws.auth.addConnection: InvalidGrantException: UnknownError
2023-04-13 13:16:39 [INFO]: telemetry: sent batch (size=20)
2023-04-13 13:16:39 [INFO]: telemetry: sent batch (size=14)

[BwL1289]

Issue continues for me after 1.68.0 as well:

2023-04-13 11:13:38 [ERROR]: API response (oidc.us-east-1.amazonaws.com /token): {
  name: 'InvalidGrantException',
  '$fault': 'client',
  '$metadata': {
    httpStatusCode: 400,
    requestId: '5ec4ded0-e4d8-4556-9daa-cc88cf839628',
    extendedRequestId: undefined,
    cfId: undefined
  },
  error: 'invalid_grant',
  error_description: 'Invalid grant provided',
  message: 'UnknownError'
}
2023-04-13 11:13:38 [DEBUG]: SSO registration cache: clear succeeded for key '{"region":"<omitted>","scopes":["codewhisperer:analysis","codewhisperer:completions"]}'
2023-04-13 11:13:38 [ERROR]: aws.codeWhisperer.sso: Error: Failed to connect to IAM Identity Center [FailedToConnect]
     -> InvalidGrantException: UnknownError

[jeevanullas]

I am facing the same problem.

2023-04-14 10:18:00 [ERROR]: log level: info
2023-04-14 10:18:00 [INFO]: Retrieving AWS endpoint data
2023-04-14 10:18:00 [INFO]: OS: Darwin x64 22.4.0
2023-04-14 10:18:00 [INFO]: Visual Studio Code extension host:  1.77.3
2023-04-14 10:18:00 [INFO]: AWS Toolkit:  1.68.0
2023-04-14 10:18:00 [INFO]: node: 16.14.2
2023-04-14 10:18:00 [INFO]: electron: 19.1.11

2023-04-14 10:19:02 [ERROR]: API response (oidc.ap-southeast-2.amazonaws.com /token): {
  name: 'InvalidGrantException',
  '$fault': 'client',
  '$metadata': {
    httpStatusCode: 400,
    requestId: '85659e66-c1a5-40fe-802a-894077ade75d',
    extendedRequestId: undefined,
    cfId: undefined
  },
  error: 'invalid_grant',
  error_description: 'Invalid grant provided',
  message: 'UnknownError'
}
2023-04-14 10:19:02 [ERROR]: aws.codeWhisperer.sso: Error: Failed to connect to IAM Identity Center [FailedToConnect]
     -> InvalidGrantException: UnknownError

Any suggestions on things I could try to workaround this annoying problem?

[jeevanullas]

Okay so I was able to make this work in my environment and not sure if it will help others but I missed an important step in setup which is to add the user (I am using IAM Identity Center) to Code Whisperer (step 8 mentioned here https://docs.aws.amazon.com/codewhisperer/latest/userguide/as-whisper-admin.html#codewhisperer-setup-enterprise-admin-authorize). After completing that step I was able to connect via AWS Toolkit. Hope this helps other.

[thehappycheese]

I experienced these problem until I installed the aws CLI on windows, and did aws configure sso as shown in the screenshots from Port-Wallis-Technologies, thanks :). I think something is still wrong though... it should work with just VS Code right?

[oyatrides]

Doesn't work either for me. I have created my accounts through AWS Control Tower, using IAM identity center as well, but I created this in the eu-west-3 region, not us-east-1. Should it still work ?

I tried to connect trhough the "Connect to AWS to Get Started" which gave me the error :

Details

2023-04-15 09:49:23 [ERROR]: API response (oidc.eu-west-3.amazonaws.com /token): { name: 'InvalidGrantException', '$fault': 'client', '$metadata': { httpStatusCode: 400, requestId: 'xxxx', extendedRequestId: undefined, cfId: undefined }, error: 'invalid_grant', error_description: 'Invalid grant provided', message: 'UnknownError' } 2023-04-15 09:49:23 [ERROR]: aws.auth.addConnection: InvalidGrantException: UnknownError

And then I tried to connect with the CodeWhisperer Start button, which is the same workflow, apparently, but gives another error:

Details

2023-04-15 09:49:46 [ERROR]: API response (oidc.eu-west-3.amazonaws.com /token): { name: 'InvalidGrantException', '$fault': 'client', '$metadata': { httpStatusCode: 400, requestId: 'xxxx', extendedRequestId: undefined, cfId: undefined }, error: 'invalid_grant', error_description: 'Invalid grant provided', message: 'UnknownError' } 2023-04-15 09:49:46 [ERROR]: aws.codeWhisperer.sso: Error: Failed to connect to IAM Identity Center [FailedToConnect] -> InvalidGrantException: UnknownError

I don't know if this can help, or if it's not relevant to know.

[azizur]

Looks like there is a manual setting up required to make CodeWhisperer work. The error message could help by pointing people to docs here: https://docs.aws.amazon.com/codewhisperer/latest/userguide/setting-up.html

[BigKatGalarraga]

Thanks @jeevanullas . The link you provided fixed my issue. I was also having the problems connecting through Identity Center. Once I granted access to the users that needed it, I tried again and now connected. Follow this link: https://docs.aws.amazon.com/codewhisperer/latest/userguide/as-whisper-admin.html#codewhisperer-setup-enterprise-admin-authorize and check off the users that need access.

[haufam]

This is nonsense. Why do we have to subscribe to Code Whisper Professionals in order to connect to IAM Identity Center via AWS Toolkit VSCode? We will have to pay $19/user/month for Code Whisper Professionals, so basically it means we must pay in order to connect to IAM Identity Center

[semanur-prenuvo]

The same issue for ca-central. Why am I allowing AWS to connect my IDE to the code whisperer? I don't even know if this integration will unseeingly collect my local code to your servers to do some AI magic. They should be optional.

[justinmk3]

Why do we have to subscribe to Code Whisper Professionals in order to connect to IAM Identity Center via AWS Toolkit VSCode?

Not required. AWS Toolkit users can choose to use CodeWhisperer with AWS Builder Id (instead of IAM Identity Center).

If there's a particular circumstance I'm missing, would you mind creating a new issue describing your particular combination of feature-usage.

Why am I allowing AWS to connect my IDE to the code whisperer?

CodeWhisperer won't be activated unless you click Start under CodeWhisperer in AWS Toolkit to sign in. However we are thinking about making this more explicit, see https://github.com/aws/aws-toolkit-vscode/issues/3329#issuecomment-1511995971 .

[JadenSimon]

@haufam @semanur-prenuvo

The most recent Toolkit version will no longer always request CodeWhisperer scopes when adding an IAM Identity Center connection. If you've already added a connection you will need to use the "AWS: Sign out" command and start over.

@Frosty1442 @BwL1289 @malikalimoekhamedov @dvfariaf-bops @droddy @ChristianTashev @Port-Wallis-Technologies @cosmincatalin @johnfischbeck @yfengBTI @OrYairWaterCooler @jeevanullas @thehappycheese @oyatrides @azizur @BigKatGalarraga

Most of the causes for InvalidGrantException should be fixed by in v1.70.0, however, it's still possible to run into this problem when trying to use CodeWhisperer without enabling it in IAM Identity Center. It's also possible to see "Invalid grant provided" in the browser when using an incorrect region. As long as you do not explicitly login through the CodeWhisperer node and select a valid region then you should have no problems. There should not be CodeWhisperer scopes in the consent page.

After connecting to IAM Identity Center, any AWS account/roles that you have access to will show if you click "Select IAM Credentials to View Resources" in the AWS explorer. Available accounts/roles will also show when clicking the AWS status bar item.

Let us know if there are any more problems!

[droddy]

Thanks @JadenSimon !

[haufam]

Thanks @JadenSimon, it now works without Code Whisperer

[justinmk3]

Locked the issue so that the resolution stays visible. Please create a new issue if you run into a (new/diffirent) problem.

Note: this issue isn't closed, it's just locked to pause comments.

[justinmk3]

Latest release of AWS Toolkit (1.75) includes #3498 which should reduce the frequency of InvalidGrantException.

Has anyone here noticed improvements?

[abaschen]

for people like me still having issues, I figured out that if you try to connect CW before setting up the SSO credentials and default region, it would save something in VSCode cache that will mess up future tentatives. If you see more profiles that you have in the AWS config then you have the same as me.

Clearing the AppData\Roaming\Code folder did the trick although it's a bit nuclear, clearing Cache folders did not solve the issue, I guess there is a specific cache folder for aws IdP in vscode.

[justinmk3]

@abaschen Thanks for mentioning those steps, we will investigate.