search

common-fate / granted

The easiest way to access your cloud.
https://granted.dev
MIT License
1.04k stars 93 forks source link

Error refreshing AWS IAM Identity Center token #736

Open dannysteenman opened 1 month ago

dannysteenman commented 1 month ago

I'm getting the following error when assuming a role where the cache of the sso session is expired:

[15-08-2024 19:10:26] [INFO] Assuming role: Website/AdministratorAccess

[✘] error refreshing AWS IAM Identity Center token: operation error SSO OIDC: CreateToken, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Post "https://oidc.eu-west-1.amazonaws.com/token": tls: failed to verify certificate: x509: certificate is valid for *.webio.com, not oidc.eu-west-1.amazonaws.com

then I need to reload my terminal and this happens when assuming the role:

[15-08-2024 19:10:40] [INFO] Assuming role: Website/AdministratorAccess
[✘] error refreshing AWS IAM Identity Center token: operation error SSO OIDC: CreateToken, https response error StatusCode: 400, RequestID: b380066b-4c50-4560-aaa8-9cad12eec5fb, InvalidGrantException:
[i] If the browser does not open automatically, please open this link: https://device.sso.eu-west-1.amazonaws.com/?user_code=TMWD-JPNH
[i] Awaiting AWS authentication in the browser
[i] You will be prompted to authenticate with AWS in the browser, then you will be prompted to 'Allow'
[i] Code: TMWD-JPNH

then I can sign into sso and it works again.



For debuggin purpose I ran the granted docter command:


❯ granted doctor

[i] Checking your Granted and AWS local configurations to look for common issues...

? Please select the profile you would like to assume: Website/AdministratorAccess
[i] profile selected: Website/AdministratorAccess

[i] profile SSO start URL: https://d-<replaced>.awsapps.com/start

[i] profile region:

[i] Granted doctor will now check the default sso token cache (`~/.aws/sso/cache`), Granted secure storage, and the AWS credentials file to valiate cached tokens.

[i] Checking all cached credentials in `/.aws/sso/cache`

[i] No valid cached credentials found in `/.aws/sso/cache`

[i] Checking all cached tokens in secure storage

[✔] [VALID] Credentials found for  are still valid
[!] [INFO] no cached tokens in secure storage found

[i] Checking commonly found issues in Granted configuration

[!] [INFO] DefaultExportAllEnvVar set to true. Automatic credential renewal is disabled.

[✔] Granted Doctor has completed, see diagnostics above

these are my granted settings:

SETTING                         VALUE
update-checker-api-url          update.api.granted.dev:443

Keyring                         map[Backend:0x1400011f8b0 FileDir:<nil> KeychainName:<nil> LibSecretCollectionName:<nil>]

DefaultExportAllEnvVar          true

ProfileRegistryURLS             []

CommonFateDefaultSSORegion

ProfileRegistry                 map[PrefixAllProfiles:false PrefixDuplicateProfiles:false Registries:[] RequiredKeys:map[] SessionName: Variables:map[]]

DefaultBrowser                  FIREFOX

CustomSSOBrowserPath            /opt/homebrew/bin/firefox

CommonFateDefaultSSOStartURL

AccessRequestURL

CustomBrowserPath               /opt/homebrew/bin/firefox

Ordering                        Frecency

ExportSSOToken                  false

DisableCredentialProcessCache   false

CredentialProcessAutoLogin      true

SSO                             map[]

ExportCredentialSuffix

ExportCredsToAWS                false

DisableUsageTips                true

this is the aws config profile:

[profile Website/AdministratorAccess]
granted_sso_start_url      = https://d-<replaced>.awsapps.com/start
granted_sso_region         = eu-west-1
granted_sso_account_id     = 123456789012
granted_sso_role_name      = AdministratorAccess
granted_sso_registration_scopes = sso:account:access
credential_process         = granted credential-process --profile Website/AdministratorAccess

Did I mess something up in my settings or is it a bug?

shwethaumashanker commented 1 month ago

@dannysteenman Can you please try running granted settings set -s=CredentialProcessAutoLogin --value true, let us know if that fixes it for you

dannysteenman commented 1 month ago

@dannysteenman Can you please try running granted settings set -s=CredentialProcessAutoLogin --value true, let us know if that fixes it for you

Thanks for your quick response, as you can see in my granted settings it was already enabled:

CredentialProcessAutoLogin      true