AWS Developer Authentication using SAML provider linked to AWS account or SSO login without storing refresh tokens locally. Enables linked roles with multiple methods.
MIT License
5
stars
2
forks
source link
Bug: aws-cli-auth InvalidClientTokenId Error and Ineffective Credential Clearing on MacOS #17
When attempting to use aws-cli-auth to fetch temporary credentials for AWS login via Okta, an error occurs during the process of updating the kubeconfig for an EKS cluster and when trying to switch to a target AWS account. The error message indicates an issue with validating credentials and mentions an InvalidClientTokenId.
I use https://github.com/common-fate/granted in CLI to manage my aws profiles but it seems it throughs up same error if you do native CLI calls to assume target role.
Additional troubleshooting steps included clearing the stale credential using aws-cli-auth clear-cache . There is an inconsistency with the command clear not functioning as expected in mac os with
To Reproduce
Steps to reproduce the behavior:
Execute the command to assume a profile:
aws-cli-auth saml -p "https://.okta.com/home/amazon_aws/xxxxx/xxxx" --principal "arn:aws:iam::012345678:saml-provider/PROVIDER-Okta" -r "arn:aws:iam::0123456789:role/TARGET-ROLE" -d 3600
Expected behavior
The expected behavior is the successful assumption of the specified AWS profile without encountering credential validation errors.
Screenshots
Desktop (please complete the following information):
OS: MacOS Ventura
Version 13.6.4
13.6.4 (22G513)
Additional context
aws-cli-auth version tried out
aws-cli-auth version v0.13.5-81b8ef042464a06c8733f2ec74fb0224c2c4dd41
aws-cli-auth version v0.14.0-ac79bd26aa5d29c83895a6552514e45870536b1c
Describe the bug
When attempting to use aws-cli-auth to fetch temporary credentials for AWS login via Okta, an error occurs during the process of updating the kubeconfig for an EKS cluster and when trying to switch to a target AWS account. The error message indicates an issue with validating credentials and mentions an InvalidClientTokenId.
I use https://github.com/common-fate/granted in CLI to manage my aws profiles but it seems it throughs up same error if you do native CLI calls to assume target role.
Additional troubleshooting steps included clearing the stale credential using aws-cli-auth clear-cache . There is an inconsistency with the command clear not functioning as expected in mac os with
To Reproduce Steps to reproduce the behavior: Execute the command to assume a profile:.okta.com/home/amazon_aws/xxxxx/xxxx" --principal "arn:aws:iam::012345678:saml-provider/PROVIDER-Okta" -r "arn:aws:iam::0123456789:role/TARGET-ROLE" -d 3600
aws-cli-auth saml -p "https://
In my case using [https://github.com/common-fate/granted ] assume target-aws-profile
The error is displayed in the terminal.
Expected behavior The expected behavior is the successful assumption of the specified AWS profile without encountering credential validation errors.
Screenshots
Desktop (please complete the following information):
Additional context aws-cli-auth version tried out aws-cli-auth version v0.13.5-81b8ef042464a06c8733f2ec74fb0224c2c4dd41 aws-cli-auth version v0.14.0-ac79bd26aa5d29c83895a6552514e45870536b1c