search

thomasmichaelwallace / serverless-better-credentials

Better AWS credentials resolution plugin for serverless
MIT License
54 stars 9 forks source link

Unhelpful error when SSO session has expired #13

Open villelahdenvuo opened 1 year ago

villelahdenvuo commented 1 year ago

Describe the bug It was working fine, but suddenly I got an error saying: CredentialsError: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1

To Reproduce Steps to reproduce the behavior:

  1. Login via AWS SSO
  2. Run a serverless command
  3. All works
  4. Wait for session to expire
  5. Run a serverless command
  6. See the error

Expected behavior A warning should be displayed and a new session could be started automatically

Screenshots

➜  ses-forwarder git:(develop) ✗ AWS_SDK_LOAD_CONFIG=1 npx sls deploy

Deploying ses-forwarder to stage prod (eu-west-1)

Error:
CredentialsError: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1
    at ProcessCredentials.load (.../mygrano-serverless/node_modules/aws-sdk/lib/credentials/process_credentials.js:80:11)

Desktop (please complete the following information):

Additional context After refreshing the CLI session manually it works again.

thomasmichaelwallace commented 1 year ago

Interesting - that error's actually originating from the aws-sdk itself, rather than the plugin.

Do you mind sharing your ~/.aws/config file (redacting any numbers/keys/role-names 😄) as it looks like you're using a custom credential_process approach to supporting SSO, rather than the built-in SSO support provided by this plugin.

If that's the case, it may be that the Process Credentials response is relying on credentials cached by the aws-cli, rather than rotating them itself.

villelahdenvuo commented 1 year ago

@thomasmichaelwallace Actually we just use the normal AWS SSO setup e.g.

[profile shared-developer]
sso_account_id = XXXXXXXXXXX
sso_role_name = FoobarAccess
sso_start_url = https://company-portal.awsapps.com/start/
sso_region = eu-west-1
region = eu-west-1
output = json

And I have defined AWS_PROFILE=shared-developer

I don't know why the SDK throws that error if the session is expired, perhaps I need to open a bug on the SDK itself.

herebebogans commented 10 months ago

@villelahdenvuo try adding

https://github.com/benkehoe/aws-sso-util

as a credential_process helper.

So for your example

~/.aws/config

credential_process = aws-sso-util credential-process --profile shared-developer
villelahdenvuo commented 10 months ago

@herebebogans That should not be necessary, it's the whole point of this plugin.

adminy commented 6 months ago

https://stackoverflow.com/a/59314284/4316850

is it to do with the + and / signs?

I'm getting The security token included in the request is invalid (Service: AmazonIdentityManagement; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: 67ab759b-9995-4b27-8d31-00ab6e1e831d; Proxy: null)