search

thomasmichaelwallace / serverless-better-credentials

Better AWS credentials resolution plugin for serverless
MIT License
54 stars 9 forks source link

Error: The security token included in the request is invalid #7

Closed marcossv9 closed 2 years ago

marcossv9 commented 2 years ago

Describe the bug When running serverless deploy using the plugin in Linux (Ubuntu 20.04.1) I get the following error and I can't deploy to the environment:

Error:
The security token included in the request is invalid

To Reproduce Steps to reproduce the behavior:

  1. install serverless-better-credentials plugin using npm
  2. add the plugin at the top of the plugins section in serverless.yaml file
  3. run export AWS_SDK_LOAD_CONFIG=1
  4. run aws sso login
  5. run serverless deploy
  6. I get the following error:
Error:
The security token included in the request is invalid

Expected behavior Serverless App get deployed in the AWS environment.

Screenshots

 serverless deploy
Running "serverless" from node_modules

Deploying my_app to stage sandbox (us-east-2)
✔ serverless-better-credentials: credentials resolved from config ini profile: AWS_PROFILE (sandbox)
Using Python specified in "runtime": python3.8
Packaging Python WSGI handler...

✖ Stack my_app failed to deploy (9s)
Environment: linux, node 16.14.2, framework 3.20.0 (local) 3.19.0v (global), plugin 6.2.2, SDK 4.3.2
Credentials: Local, environment variables
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

Error:
The security token included in the request is invalid

Desktop (please complete the following information):

Additional context Can this be an issue related to Linux OS?

thomasmichaelwallace commented 2 years ago

Interesting -

Something which stands out to me is the line credentials resolved from config ini profile - that means that your ~/.aws/config file's section under the profile [sandbox] has a valid configuration for loading directly from the config file (i.e. a key, secret and maybe session token). Because of this, the plugin is using those credentials (which seem to be invalid) instead of using SSO.

On the assumption that you do want to use this plugin to handle your SSO, can you make sure your config only has the following sections under the profile you want to use (from https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html):

[profile my-dev-profile]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789011
sso_role_name = readOnly
region = us-west-2
output = json

Let me know how you get on 😄

marcossv9 commented 2 years ago

Hey @thomasmichaelwallace, thanks for your suggestion.

I checked my config file for the profile I'm using, and looks good:

[profile sandbox]
sso_start_url = https://d-XXXXXXX.awsapps.com/start#/
sso_region = us-east-2
sso_account_id = XXXXXXXX
sso_role_name = MyRole
region = us-east-2
output = json
marcossv9 commented 2 years ago

Not sure why the plugin didn't work in my end, but I ended up using this npm package that solved my issue.

thomasmichaelwallace commented 2 years ago

No worries - the best I can do is that it still works for me on our legacy stack.

Although- probably worth mentioning that the aws-cdk isn't as bad as it used to be, and supports SSO out of the box.