Closed et304383 closed 4 months ago
The code in question that needs to be removed:
https://github.com/victorskl/yawsso/blob/main/yawsso/core.py#L97
Ok, let me access the situation a bit further. Agree on the view that it might be counterproductive to check expiry while we can just refresh the token.
I can reproduce this. I will make changes as advised - i.e. removing sso expiresAt check from yawsso.
umm, i take it back. i have to understand a bit more how aws sso cli cache file format work.
umm, i take it back. i have to understand a bit more how aws sso cli cache file format work.
It's a little confusing but basically it's a token that's good for refreshing temporary role credentials. It's good for an hour.
When it expires, the SDK refreshes the SSO token with the refresh token.
To be honest I think you should be consistent like all other tools and just try the operation. If it doesn't work downstream because the refresh token expired an appropriate error will be thrown from the CLI call. You shouldn't need to worry about that.
Yup, understood the situation and, exactly I am about to do as what you said. However.
--
Because yawsso has no dependencies except aws cli v2 until now; I have to rely on aws sso get-role-credentials [...]
call with flag --access-token
where the value comes from sso cache; which life-time is governed by expiresAt
value.
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sso/get-role-credentials.html
I suppose aws cli should introduce --refresh-token
flag in get-role-credentials
subcommand there too; since they started supporting OIDC refresh token now.
At the mo;
aws sso get-role-credentials \
--output json \
--profile dev \
--region ap-southeast-2 \
--role-name AdministratorAccess \
--account-id <snip> \
--access-token <Value taken from sso cache field: accessToken>
... which make yawsso break, a bit harder without refreshToken
flag support there. Meaning, yawsso will need to make aws sso login
every 1 hour, regardless.
Anyhow, let me keep tinkering around to see how to work around and, make use of refreshToken. At the last resort, I'll have to add boto as dependencies...
Correction;
It needs to use a refreshToken
to refresh accessToken
in sso cache file. It seems the cache value of accessToken
from ~/.aws/sso/cache/<session_id>.json
hasn't refreshed.
I'm still investigating/debugging this... how aws cli handling refreshToken
. It might be that it just refresh accessToken
on-the-fly; instead of re-updating accessToken
inside sso cache json file.
If it helps I have a work around right now where I delete my cli cache and then call aws sts get-caller-identity (against any profile) to force refresh of the SSO token if necessary as internally the CLI will first try to refresh the role credentials and if needed refresh the SSO token.
Then I call yawsso
Yup. Thinking very similarly around making use of aws sts get-caller-identity
...
CLI has its own cache ls -lrt ~/.aws/cli/cache
; it seems to use refreshToken
to update credentials there.? I could be wrong.
Ok, getting there.
Thanks for sharing your work around. I will see to it.
Alright, done with debug. The sso accessToken
is rotated along with cli credential cache. Understood now. In that case, we can simplify expire check with aws sts get-caller-identity
call as you suggest. Easy! I will work on it.
Any updates here @victorskl ?
Sorry folks. Out a bit with extended camping trip. I am back for the year. I will resume working on this.
Think, I have an idea/solution on the fix. Will make RC this weekend.
It should fix with 1.2rc1. Let me know any feedback, if any.
pip install -U yawsso==1.2.0rc1
yawsso --version
yawsso 1.2.0rc1
The yawsso-1.2.0 out.!
pip install -U yawsso==1.2.0
This should attempt auto-refresh as long as the refresh token lives...
Better yet, try auto
subcommand; this will auto login as last resort when the refresh token itself has expired...
yawsso auto --profile dev
I have been dealing with AWS support for a while and it appears that the expiresAt parameter is not accurate as the refresh token should still be valid.
Yet yawsso just exits out whenever you try to run it after the expiresAt value has passed (which is usually only one hour).
So please just ignore the value and continue to ask for new credentials just as the auto refresh would work within the CLI.