assume succeeds but aws sts get-caller-identity fails

[muraleee]

Platform : WSL2 on Windows 10 OS: Ubuntu 22.04

I am able to run "assume" and choose a role. However, aws sts get-caller-identity fails with the following error

Unable to locate credentials. You can configure credentials by running "aws configure"

I tried setting AWS_PROFILE to the selected profile in assume command however after that I get the following:

Error when retrieving token from sso: Token has expired and refresh failed

[totogtr]

I do have the same issue.

I can run aws commands with --profile but granted/assume keep saying : Unable to locate credentials. You can configure credentials by running "aws configure". I did not found anything related to that on the docs troubleshooting page.

Same thing when running granted sso generate for a fresh .aws/config

[Conrix]

Same here, I can assume but aws sts getcalleridentity fails with "The SSO session associated with this profile has expired or is otherwise invalid. To refresh this SSO session run aws sso login with the corresponding profile." Looks a bit like a problem with a sub shell. But I am new to granted and didn't dig deeper. I might be completely wrong.

[shwethaumashanker]

@muraleee @totogtr Can you please try running alias | grep assume and see if your shell alias is set up correctly (If you get an output like: assume='source assume' or assume='. assume')? If not you can manually configure your alias

[shwethaumashanker]

@Conrix Can you please try clearing your ~/.aws/sso/cache ?

[Conrix]

@shwethaumashanker I cleaned the cache but the problem persists: Error loading SSO Token: Token for https://XXXXXXXXXXXXX/start does not exist

btw: alias | grep assume outputs: assume='. assume'

[shwethaumashanker]

@Conrix Can you please run cat ~/.granted/config and send us the output. Could you also please send an example of a profile from ~/.aws/config that has this issue? (Feel free to remove account ID and other sensitive data)

[totogtr]

@shwethaumashanker thanks, my alias looks like (fish shell) : alias | grep assume alias assume 'source /usr/local/bin/assume.fish'

[shwethaumashanker]

Thanks, @totogtr, that does look right! What do you get when you run env | grep AWS after assuming a role ?

[totogtr]

After using assume [✔] [my-account](us-west-2) session credentials will expire in 2 hours, I get nothing in env related to AWS

[chrnorm]

@totogtr could you please try updating the alias in your fish config as follows and let us know if it fixes the issue?

alias assume 'source /usr/local/bin/assume.fish --export-all-env-vars'

[totogtr]

Thanks, tried it but it doesn't seem to change anything. Running assumego and manually setting the variable with export AWS_ACCESS_KEY_ID=myresultaccesskey etc. similarly to what is done at the end of /usr/local/bin/assume.fish does work

[JeffDuss]

Hi, We had the same problem and found the fix.

The command 'alias assume' returned nothing. We created the file ~/.bash_profile and added -> alias assume="source assume"

OR

run assumego

You can find this in the documentation : https://docs.commonfate.io/granted/troubleshooting#manually-configuring-your-shell-profile

[arusa]

I have the same problem. Everything worked fine yesterday and today, after upgrading granted from 0.17.1 to 0.20.7 using brew it doesn't work anymore.

assume works fine and everything looks good, but running aws ssm start-session... fails with the error:

Error loading SSO Token: Token for https://d-XXXXXXX.awsapps.com/start does not exist

The alias looks good and also AWS_* environment variables get defined (AWS_PROFILE, AWS_REGION, AWS_DEFAULT_REGION)

I can also see the credentials for the AWS_profile in .aws/credentials

[arusa]

When looking into ~/.aws/config I saw

credential_process = aws-sso-util credential-process --profile XXXXXXXX

So I tried to execute this command manually to see if there are any errors. The output was:

Login required. Use `aws-sso-util login --profile XXXXXXX` or `aws sso login --profile XXXXXXXX` and try again.

So I manually executed this aws-sso-util login command, which again started the auth process with the SSO website and resulted in "Login succeeded".

After that manual step I was able to access AWS again using aws-cli and terraform.

[p3nda]

When looking into ~/.aws/config I saw

credential_process = aws-sso-util credential-process --profile XXXXXXXX

So I tried to execute this command manually to see if there are any errors. The output was:

Login required. Use `aws-sso-util login --profile XXXXXXX` or `aws sso login --profile XXXXXXXX` and try again.

So I manually executed this aws-sso-util login command, which again started the auth process with the SSO website and resulted in "Login succeeded".

After that manual step I was able to access AWS again using aws-cli and terraform.

This worked for me.

[decisivedevops]

@muraleee @totogtr Can you please try running alias | grep assume and see if your shell alias is set up correctly (If you get an output like: assume='source assume' or assume='. assume')? If not you can manually configure your alias

this worked for me to resolve "Unable to locate credentials." issue on linux mint 21.3