AWS SDK for Node.js doesn’t recognize my authentication because the AWS_PROFILE environment variable is set

[natesilva]

I am using assume to authenticate to my organization, which uses SSO.

At the command-line, this works. But when I run an app that uses the AWS SDK for Node.js, v3, (@aws-sdk/client-secrets-manager) it fails to use my credentials and reports:

CredentialsProviderError: The SSO session token associated with profile=<redacted> was not found or is invalid. To refresh this SSO session run 'aws sso login' with the corresponding profile.

I have to run the old aws sso login command to make it work.

This is happening because assume has set the AWS_PROFILE environment variable. The SDK uses this to look up the profile in .aws/config, sees that it is an SSO-enabled profile, and looks for cached SSO credentials.

Workarounds

• Unset the AWS_PROFILE environment variable. The SDK will use the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN as expected.
• Manually configure it to use fromEnv (from @aws-sdk/credential-providers). However, if you do this it won’t use the default credential provider chain -- which is a problem if your credentials may be coming from a different source once deployed.

Is there any advice for how to deal with this? Can assume not set AWS_PROFILE?

[JoshuaWilkes]

Hey @natesilva, have you tried following this recipe to configure a credential process https://docs.commonfate.io/granted/recipes/credential-process

You can configure a credential process on the profile and changing the sso args to be prefixed with granted ensures that sdks used Granted instead of trying to find the sso token in the default cache

[natesilva]

Thank you, it works now. I missed that step apparently.