yawsso needs to ignore the expiresAt parameter in .aws/sso/cache/<thing>.json

[et304383]

I have been dealing with AWS support for a while and it appears that the expiresAt parameter is not accurate as the refresh token should still be valid.

Yet yawsso just exits out whenever you try to run it after the expiresAt value has passed (which is usually only one hour).

So please just ignore the value and continue to ask for new credentials just as the auto refresh would work within the CLI.

[et304383]

The code in question that needs to be removed:

https://github.com/victorskl/yawsso/blob/main/yawsso/core.py#L97

[victorskl]

Ok, let me access the situation a bit further. Agree on the view that it might be counterproductive to check expiry while we can just refresh the token.

[victorskl]

I can reproduce this. I will make changes as advised - i.e. removing sso expiresAt check from yawsso.

[victorskl]

umm, i take it back. i have to understand a bit more how aws sso cli cache file format work.

[et304383]

umm, i take it back. i have to understand a bit more how aws sso cli cache file format work.

It's a little confusing but basically it's a token that's good for refreshing temporary role credentials. It's good for an hour.

When it expires, the SDK refreshes the SSO token with the refresh token.

To be honest I think you should be consistent like all other tools and just try the operation. If it doesn't work downstream because the refresh token expired an appropriate error will be thrown from the CLI call. You shouldn't need to worry about that.

[victorskl]

Yup, understood the situation and, exactly I am about to do as what you said. However.

--

Because yawsso has no dependencies except aws cli v2 until now; I have to rely on aws sso get-role-credentials [...] call with flag --access-token where the value comes from sso cache; which life-time is governed by expiresAt value.

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sso/get-role-credentials.html

I suppose aws cli should introduce --refresh-token flag in get-role-credentials subcommand there too; since they started supporting OIDC refresh token now.

At the mo;

aws sso get-role-credentials \
  --output json \
  --profile dev \
  --region ap-southeast-2 \
  --role-name AdministratorAccess \
  --account-id <snip> \
  --access-token <Value taken from sso cache field: accessToken>

... which make yawsso break, a bit harder without refreshToken flag support there. Meaning, yawsso will need to make aws sso login every 1 hour, regardless.

[victorskl]

Anyhow, let me keep tinkering around to see how to work around and, make use of refreshToken. At the last resort, I'll have to add boto as dependencies...

[victorskl]

Correction;

It needs to use a refreshToken to refresh accessToken in sso cache file. It seems the cache value of accessToken from ~/.aws/sso/cache/<session_id>.json hasn't refreshed.

I'm still investigating/debugging this... how aws cli handling refreshToken. It might be that it just refresh accessToken on-the-fly; instead of re-updating accessToken inside sso cache json file.

[et304383]

If it helps I have a work around right now where I delete my cli cache and then call aws sts get-caller-identity (against any profile) to force refresh of the SSO token if necessary as internally the CLI will first try to refresh the role credentials and if needed refresh the SSO token.

Then I call yawsso

[victorskl]

Yup. Thinking very similarly around making use of aws sts get-caller-identity...

CLI has its own cache ls -lrt ~/.aws/cli/cache; it seems to use refreshToken to update credentials there.? I could be wrong.

Ok, getting there.

Thanks for sharing your work around. I will see to it.

[victorskl]

Alright, done with debug. The sso accessToken is rotated along with cli credential cache. Understood now. In that case, we can simplify expire check with aws sts get-caller-identity call as you suggest. Easy! I will work on it.

[et304383]

Any updates here @victorskl ?

[victorskl]

Sorry folks. Out a bit with extended camping trip. I am back for the year. I will resume working on this.

Think, I have an idea/solution on the fix. Will make RC this weekend.

[victorskl]

It should fix with 1.2rc1. Let me know any feedback, if any.

pip install -U yawsso==1.2.0rc1

yawsso --version
yawsso 1.2.0rc1

[victorskl]

The yawsso-1.2.0 out.!

pip install -U yawsso==1.2.0

This should attempt auto-refresh as long as the refresh token lives...

Better yet, try auto subcommand; this will auto login as last resort when the refresh token itself has expired...

yawsso auto --profile dev