Token cache issue in okta-aws-cli: reauthentication required after every 3 aws accounts

nikitaromm commented 4 months ago

Version:

okta-aws-cli version v2.1.2

Description:

Currently, when utilizing okta-aws-cli for multiple accounts within a loop while setting OKTA_AWSCLI_CACHE_ACCESS_TOKEN=true, after every 3 accounts, it disregards the $HOME/.okta/awscli-access-token.json file and prompts for re-authentication.

Steps to Reproduce:

Set OKTA_AWSCLI_CACHE_ACCESS_TOKEN=true
Run okta-aws-cli for multiple accounts in a loop
Observe the behavior after processing every 3 accounts

Expected Behavior:

The expectation is that the same $HOME/.okta/awscli-access-token.json token remains valid and can be utilized seamlessly across all accounts within the loop without the need for re-authentication.

monde commented 4 months ago

@nikitaromm is the OIDC client id the same for each invocation? The cached access token is bound to the client id.

nikitaromm commented 4 months ago

@monde yes, we are using the same OIDC client id for each invocation. It worked in the past and we were able to use the same token for 15+ AWS accounts with no problem.

monde commented 4 months ago

@nikitaromm thanks for the confirmation. I'm interested to see what this odd and apparently deterministic behavior is all about.

nikitaromm commented 4 months ago

@monde sure, please let me know which details you require.

okta / okta-aws-cli