search

ryansonshine / aws-sso-creds-helper

A command line util for using SSO credentials with AWS SDK on AWS CLI v2 until native support is released
MIT License
55 stars 8 forks source link

UnauthorizedException: Session token not found or invalid #57

Closed colesiegel closed 1 year ago

colesiegel commented 1 year ago

ssocreds was working well for me for the past few months but today when I attempt to run it, I receive errors about session token not found or invalid.

I confirmed that the aws profile I am using has active credentials as I was able to perform AWS CLI commands. This error occurs for both existing AWS profiles and ones which I have newly added.

aws configure sso --profile prod
SSO start URL [https://redacted.awsapps.com/start#/]:
SSO Region [eu-west-2]:
There are 2 AWS accounts available to you.
Using the account ID redacted
The only role available to you is: Triage
Using the role name "Triage"
CLI default client Region [eu-west-2]:
CLI default output format [json]:

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile prod
2022-03-16 13:54:06 redacted-bucket-name

ssocreds --profile prod --debug
[aws-sso-creds-helper]: AWS SSO Creds Helper v1.8.16
[aws-sso-creds-helper]: ===========
[aws-sso-creds-helper]: SYSTEM INFO
[aws-sso-creds-helper]: ===========
[aws-sso-creds-helper]: AWS CLI Version aws-cli/2.7.7 Python/3.9.13 Darwin/22.1.0 source/arm64 prompt/off
[aws-sso-creds-helper]: OS darwin 22.1.0
[aws-sso-creds-helper]: Node v16.18.0
[aws-sso-creds-helper]: ==============
[aws-sso-creds-helper]: PROFILE CONFIG
[aws-sso-creds-helper]: ==============
[aws-sso-creds-helper]:       Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                     prod           manual    --profile
access_key     ****************G2OR              sso    
secret_key     ****************phNg              sso    
    region                eu-west-2      config-file    ~/.aws/config

[aws-sso-creds-helper]: Getting SSO credentials for profile prod
[aws-sso-creds-helper]: Reading config from /Users/cole.siegel/.aws/config
[aws-sso-creds-helper]: Full profile name for lookup is profile prod
[aws-sso-creds-helper]: Profile data:, {
  "region": "eu-west-2",
  "output": "json",
  "sso_start_url": "https://redacted.awsapps.com/start",
  "sso_region": "eu-west-2",
  "sso_account_id": "redacted",
  "sso_role_name": "Triage"
}
[aws-sso-creds-helper]: Setting AWS.SharedIniFileCredentials to profile prod
[aws-sso-creds-helper]: Found 3 cache files in /Users/cole.siegel/.aws/sso/cache
[aws-sso-creds-helper]: Checking 0d92c2431dc84b346c32051db8c475a0cd0aa25a.json in /Users/cole.siegel/.aws/sso/cache/0d92c2431dc84b346c32051db8c475a0cd0aa25a.json
[aws-sso-creds-helper]: Reading /Users/cole.siegel/.aws/sso/cache/0d92c2431dc84b346c32051db8c475a0cd0aa25a.json
[aws-sso-creds-helper]: Configuration is a credential config
[aws-sso-creds-helper]: Credential is NOT expired
[aws-sso-creds-helper]: Credential start url https://redacted.awsapps.com/start/ matches profile sso start url https://redacted.awsapps.com/start
[aws-sso-creds-helper]: Initialized SSO service object with region eu-west-2
[aws-sso-creds-helper]: Failed to get role credentials
[aws-sso-creds-helper]: Error is NOT an ExpiredCredsError
[aws-sso-creds-helper]: Error is NOT an AwsSdkError
[aws-sso-creds-helper]: Failed to load SSO credentials for prod
[aws-sso-creds-helper]: Session token not found or invalid
[aws-sso-creds-helper]: UnauthorizedException: Session token not found or invalid
    at Object.extractError (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/protocol/json.js:52:27)
    at Request.extractError (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/protocol/rest_json.js:49:8)
    at Request.callListeners (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/request.js:686:14)
    at Request.transition (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/Users/cole.siegel/.config/yarn/global/node_modules/aws-sdk/lib/request.js:688:12)

To resolve the issue, I had to delete my ~/.aws/credentials entries as well as the contents of ~/.aws/sso/cache. After adding the profiles back, I am now able to run ssocreds successfully and use the SDK, although there is a message about invalid JSON.

➜ ~ ssocreds --profile dev
[aws-sso-creds-helper]: AWS SSO Creds Helper v1.8.16
[aws-sso-creds-helper]: Getting SSO credentials for profile dev
[aws-sso-creds-helper]: Ignoring invalid json, SyntaxError: Unexpected token in JSON at position 0
[aws-sso-creds-helper]: Successfully loaded SSO credentials for profile dev
➜ ~ ssocreds --profile prod
[aws-sso-creds-helper]: AWS SSO Creds Helper v1.8.16
[aws-sso-creds-helper]: Getting SSO credentials for profile prod
[aws-sso-creds-helper]: Ignoring invalid json, SyntaxError: Unexpected token in JSON at position 0
[aws-sso-creds-helper]: Successfully loaded SSO credentials for profile prod

Any suggestions as to what could have caused this, or how to properly resolve it? As far as I can see nothing changed recently in this library. Given the AWS profile / SSO process itself is working without issue, I am not sure why ssocreds suddenly fails to retrieve the token. Does the invalid JSON message indicate some other issue?

Environment

ryansonshine commented 1 year ago

@all-contributors please add @colesiegel for bugs

allcontributors[bot] commented 1 year ago

@ryansonshine

I've put up a pull request to add @colesiegel! :tada:

github-actions[bot] commented 1 year ago

:tada: This issue has been resolved in version 1.8.17 :tada:

The release is available on:

Your semantic-release bot :package::rocket:

ryansonshine commented 1 year ago

Thanks for the detailed bug report, @colesiegel!

ssocreds was working well for me for the past few months but today when I attempt to run it, I receive errors about session token not found or invalid

It's hard to say what exactly was going on but if I were to hazard a guess I'd think something in your config or credentials file were invalid. The course you took with clearing out the credentials and cache then recreating is the easiest path to resolution.

Any suggestions as to what could have caused this, or how to properly resolve it?

It looks like you have a file in your ~/.aws/sso/cache directory that contains invalid json but ssocreds still ends up finding the credentials while iterating through the cache files. I've put in a fix that should avoid reading the files containing invalid JSON.

Please update to the latest version (v1.8.17) with the following command and feel free to reopen if the issue persists:

npm install -g aws-sso-creds-helper@latest
colesiegel commented 1 year ago

Cheers @ryansonshine I figured the first issue would be difficult to nail down, but at least we've got a simple resolution.

I got latest version and I don't have the invalid json error anymore, thanks a lot.

➜  ~ ssocreds --version
1.8.17
➜  ~ ssocreds --profile dev
[aws-sso-creds-helper]: AWS SSO Creds Helper v1.8.17
[aws-sso-creds-helper]: Getting SSO credentials for profile dev
[aws-sso-creds-helper]: Successfully loaded SSO credentials for profile dev
➜  ~ ssocreds --profile default
[aws-sso-creds-helper]: AWS SSO Creds Helper v1.8.17
[aws-sso-creds-helper]: Getting SSO credentials for profile default
[aws-sso-creds-helper]: Successfully loaded SSO credentials for profile default