search

ruimarinho / gsts

Obtain and store AWS STS credentials to interact with Amazon services by authenticating via G Suite SAML.
MIT License
219 stars 38 forks source link

existing entries in credentials file error #60

Closed heydonovan closed 1 year ago

heydonovan commented 2 years ago

We are unable to refresh tokens automatically if the session is expired. I created a new profile, test123, copy/pasted it, and it worked just fine. The workaround is to run a rm -f ~/.aws/credentials every time this happens, but I don't believe we should have to do this. Is this a bug?

I've tried to automate this but couldn't get it to work:

credential_process = bash -c "rm -f ~/.aws/credentials; gsts --idp-id=REDACTED --sp-id=REDACTED --aws-role-arn=arn:aws:iam::REDACTED:role/REDACTED --json"
$ cat ~/.aws/config
[default]
output = json
region = us-east-1
source_profile = heydonovan

[profile heydonovan]
credential_process = gsts --idp-id=REDACTED --sp-id=REDACTED --aws-profile=heydonovan --aws-role-arn=arn:aws:iam::REDACTED:role/REDACTED --json
output = json
region = us-east-1

[profile test123]
credential_process = gsts --idp-id=REDACTED --sp-id=REDACTED --aws-profile=test123 --aws-role-arn=arn:aws:iam::REDACTED:role/REDACTED --json
output = json
region = us-east-1
$ aws sts get-caller-identity --profile heydonovan

An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired
$ aws sts get-caller-identity --profile test123
{
    "UserId": "REDACTED:REDACTED",
    "Account": "REDACTED",
    "Arn": "arn:aws:sts::REDACED:assumed-role/REDACTED/REDACTED"
}
$ cat ~/.aws/credentials

[heydonovan]
aws_access_key_id=REDACTED
aws_role_arn=arn:aws:iam::REDACTED:role/REDACTED
aws_secret_access_key=REDACTED
aws_session_expiration=2022-03-02T05:58:20.000Z
aws_session_token="REDACTED"

[test123]
aws_access_key_id=REDACTED
aws_role_arn=arn:aws:iam::REDACTED:role/REDACTED
aws_secret_access_key=REDACTED
aws_session_expiration=2022-03-03T04:48:11.000Z
aws_session_token="REDACTED"
nickphbrown commented 2 years ago

@heydonovan FYI this is an aws-cli issue, see https://github.com/aws/aws-cli/issues/5109

heydonovan commented 2 years ago

@nickphbrown Thanks for the heads up! I've added a +1 to the thread and made a comment.

ruimarinho commented 1 year ago

This has been addressed on the next major of gsts which focus its functionality on serving as a good credential_process citizen (landing via https://github.com/ruimarinho/gsts/pull/82).

Thanks for your feedback!