Open emilburzo opened 6 months ago
Hey, could you also check that
From this sso cache JSON file
Using cached SSO login: /home/emil/.aws/sso/cache/934cfeb368censored6f278483.json
... whether you find refreshToken
key in there.
Expecting it should have format like this:
{
"startUrl": "https://censored.awsapps.com/start",
"region": "eu-west-1",
"accessToken": "<snip>",
"expiresAt": "2024-03-13T00:53:20Z",
"clientId": "<snip>",
"clientSecret": "<snip>",
"registrationExpiresAt": "2024-06-06T00:24:58Z",
"refreshToken": "<snip>"
}
This debug log message tells me that it is a recent AWS CLI v2 version. So, I am a bit puzzle. It should have used the botocore for the session, if I understood correctly...
2024-03-15 10:50:56,647 yawsso DEBUG aws-cli/2.15.19 Python/3.11.8 Linux/6.7.4-arch1-1 source/x86_64.arch prompt/off
Let me try in my local with this version; which is the best I can do to reproduce locally...
Interesting, the refreshToken
is indeed missing:
$ cat /home/emil/.aws/sso/cache/934cfeb36826ad5642909449b2f429996f278483.json | jq .
{
"startUrl": "https://censored.awsapps.com/start#/",
"region": "eu-west-1",
"accessToken": "<snip>",
"expiresAt": "2024-03-18T14:00:45Z",
"clientId": "<snip>",
"clientSecret": "<snip>",
"registrationExpiresAt": "2024-06-13T08:25:28Z"
}
Even with a refreshed aws sso login
:thinking:
But since it works with version 1.1.0
, I assume this is something new?
Just to eliminate more variables, refreshToken
is missing for both the new sso-session style and the legacy one
Hmm, strange.
I wonder the region matter here. And/or AWS IAM Identity Center API backend version avail in there...
Mine (in ap-southeast-2) cache file has the newer refreshToken
field and, total 8 keys in there.
jq 'length' ~/.aws/sso/cache/21826c929977799eab660eb25be86a87ab9a5a2b.json
8
I have added support for this newer sso session cache format with refreshToken
due to change request from #90 whereas determining the session expiresAt
no longer represent the actual sso login session situation.
Could check to see the linked discussion https://github.com/aws/aws-cli/issues/8305 whether if applicable any.
Or, if you are admin (or point it to your admin) of your AWS Organisation (AWS SSO/IAM Identity Center) setup, perhaps you might need to configure the access portal to work..
https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html
Perhaps, I can offer backward compatibility on parsing this refreshToken
field with next patch-release. Also, it is perfectly ok with sticking to the yawsso version that work for you too, meanwhile.
I'm not exactly sure what happened, but I upgraded to 1.2.0
again to try and debug what's going on and... it works?
I no longer see this line in the trace output:
2024-03-15 10:50:57,350 yawsso TRACE EXCEPTION: 'An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access'
So I assume the refreshToken
code is not reached anymore and that's why I'm not seeing any errors.
Not sure what to make of this though, since I still don't have any refreshToken
in ~/.aws/sso/cache/*
and nothing else really changed on my side (config, aws-cli version), could it be on AWS' side?
I downgraded to 1.1.0 and then upgraded again to 1.2.0 and it gave the error again.
Is that the same key error that you observed?
KeyError: 'refreshToken'
yes, sorry for not being more specific.
The fact that I couldn't reproduce my end, frustrated me a bit. I'll try my best to investigate; to see whether I can jump onto some EU regions...
Meanwhile, I can advice that it is perfectly ok to stick with 1.1.0
if that work perfectly for you.
What comes with 1.2.0
is supporting this newer IAM Identity Centre and, its oidc and refreshToken for auto refresh session.
Just wanted to say I saw this as well when I upgraded dependencies. Pinning the version to 1.1.0 got me back up and running.
Getting the same error on yawsso 1.2.0. No errors with 1.1.0
ran into this as well after it was reported to my team by a developer. I upgraded to 1.2.0 and did not encounter the issue until about a week later. I removed the files in ~/.aws/sso/cache
and ran yawsso login
again without incident.
Confirming I had the same issue described with @rsi-mrobinson above with KeyError: 'refreshToken'
on 1.2.0
and deleting the cached files in ~/.aws/sso/cache
fixed this for me
I have no idea if this is the exact issue described here (although I encountered the same error as above), but when I run it with the -p flag (profiles) issue isn't reproducing for me.
yawsso -p <some-profile>
Hope this helps.
After upgrading to yawsso
1.2.0
I'm getting the following:Nothing changed in my environment and downgrading to
1.1.0
fixes it.Let me know if you need any more information.
redacted trace output