Closed bmacauley closed 2 years ago
Thanks for reporting. I will study and rectify this.
i cannot find any documentation for this variable
Yes, aws_session_expiration
is used internally in yawsso for those with source_profile
with assume role use cases.
I need a bit more info here. Thinking how to reproduce this...
source_profile
in your ~/.aws/config
? Can you share your config (pls mask out account ID / role / etc)aws_session_expiration
variable used in yawsso and, I find it no issue logic-wise -- i.e. it get stored in utc and compare expiration in utc.This means that the token has expired before i can use it and I get a token expired error.
--debug
or --trace
to see any useful info there.
I am based in the UK and we are currently in British Summer Time (BST) The UTC offset for BST is UTC + 1:00
When I run yawsso it successfully creates the credentials in the 'credential' file for the specific SSO profile. In the credentials profile there is a variable called 'aws_session_expiration'. This variable is populated with the UTC time rather that UTC + 1 for the BST offset. (I assume its the default 1 hour expiry for an assumed role in IAM) . This means that the token has expired before i can use it and I get a token expired error.
Interestingly, if i manually change the 'aws_session_expiration' variable and add 1 hour or remove the aws_session_expiration' variable, the token works correctly ie the token is valid, but the 'aws_session_expiration' variable is written incorrectly or is not required
Also, i cannot find any documentation for this variable in the AWS CLI v1 documentation... https://docs.aws.amazon.com/cli/latest/topic/config-vars.html
The sessionexpiration variable is written here... line 80-81 https://github.com/victorskl/yawsso/blob/c9165b479ae2809550ecef9d54a76e6a26263d6b/yawsso/cli.py#L80
PS You have done a great job here! This is a fantastic utility and fixes the mess that AWS have created with AWS CLI v2