search

victorskl / yawsso

Yet Another AWS SSO - sync up AWS CLI v2 SSO login session to legacy CLI v1 credentials
MIT License
302 stars 26 forks source link

aws_session_expiration value is incorrect ...uses UTC time rather than the UTC timezone offset #49

Closed bmacauley closed 2 years ago

bmacauley commented 3 years ago

I am based in the UK and we are currently in British Summer Time (BST) The UTC offset for BST is UTC + 1:00

When I run yawsso it successfully creates the credentials in the 'credential' file for the specific SSO profile. In the credentials profile there is a variable called 'aws_session_expiration'. This variable is populated with the UTC time rather that UTC + 1 for the BST offset. (I assume its the default 1 hour expiry for an assumed role in IAM) . This means that the token has expired before i can use it and I get a token expired error.

Interestingly, if i manually change the 'aws_session_expiration' variable and add 1 hour or remove the aws_session_expiration' variable, the token works correctly ie the token is valid, but the 'aws_session_expiration' variable is written incorrectly or is not required

Also, i cannot find any documentation for this variable in the AWS CLI v1 documentation... https://docs.aws.amazon.com/cli/latest/topic/config-vars.html

The sessionexpiration variable is written here... line 80-81 https://github.com/victorskl/yawsso/blob/c9165b479ae2809550ecef9d54a76e6a26263d6b/yawsso/cli.py#L80

PS You have done a great job here! This is a fantastic utility and fixes the mess that AWS have created with AWS CLI v2

victorskl commented 3 years ago

Thanks for reporting. I will study and rectify this.

victorskl commented 3 years ago

i cannot find any documentation for this variable

Yes, aws_session_expiration is used internally in yawsso for those with source_profile with assume role use cases.

I need a bit more info here. Thinking how to reproduce this...

This means that the token has expired before i can use it and I get a token expired error.