SSO Cache file name

[thekid]

The SSO file should be in ~/.aws/sso/cache/{SHA}.json, where SHA is the SHA1 checksum of the SSO start URL:

$ ls -al ~/.aws/sso/cache/
total 16
drwxr-xr-x 2 thekid thekid 4096 Jun 21 09:59 .
drwxr-xr-x 3 thekid thekid 4096 Jun 21 09:59 ..
-rw------- 1 thekid thekid  361 Aug  6 15:31 2027fec77997822cbd244958e71e4736c844bed9.json
-rw------- 1 thekid thekid 1662 Jun 21 09:59 botocore-client-id-eu-central-1.json

$ xp -w 'sha1("https://enbw.awsapps.com/start/")'
2027fec77997822cbd244958e71e4736c844bed9

$ aws --version
aws-cli/2.2.35 Python/3.8.8 Linux/5.15.153.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.20 prompt/off

In newer AWS CLI versions, the directory differs from this layout (if sso-session is used) and CredentialProvider::default() fails to locate the file, yielding: Exception util.NoSuchElementException (None of the credential providers returned credentials)

[thekid]

Found this:

For AWS cli > 2.13.5 which uses sso-session sections in configuration file, you need to change the SHA1 source to sso_session value in your profile

local sso_session="$(aws configure get sso_session --profile "${profile}")"
...
local cache_file="${HOME}/.aws/sso/cache/$(echo -n "$sso_session" | sha1sum | awk '{print $1}').json"

See https://github.com/aws/aws-cli/issues/5261#issuecomment-1739553837 /cc @lisamariekrause

[thekid]

Running aws configure sso yielded this config file with the old version:

[default]
region = eu-central-1

[profile lernwerk]
sso_start_url = https://enbw.awsapps.com/start/
sso_region = eu-central-1
sso_account_id = 1234567890123
sso_role_name = EnBWContributorSet
region = eu-central-1

If this file is retained as-is, the login still creates the correct file 2027fec77997822cbd244958e71e4736c844bed9.json.

However, when you empty the ~/.aws/config file and re-run the above command with the new version, the following file is created:

[default]
region = eu-central-1

[profile lernwerk]
sso_session = lerngpt
sso_account_id = 1234567890123
sso_role_name = EnBWContributorSet
region = eu-central-1

[sso-session lerngpt]
sso_start_url = https://enbw.awsapps.com/start/
sso_region = eu-central-1
sso_registration_scopes = sso:account:access

...and the cache directory looks like this:

$ ls -al ~/.aws/sso/cache/
total 16
drwxr-xr-x 2 thekid thekid 4096 Aug  6 20:40 .
drwxr-xr-x 3 thekid thekid 4096 Jun 21 09:59 ..
-rw------- 1 thekid thekid 3157 Aug  6 20:40 4aa8768c1a0ab539806ba9c9e079bbef8c3e3bfd.json
-rw------- 1 thekid thekid 2565 Aug  6 20:40 f402abdfd11677e50e5476550548a6e77d66f302.json

$ xp -w 'sha1("lerngpt")'
4aa8768c1a0ab539806ba9c9e079bbef8c3e3bfd

[thekid]

Released in https://github.com/xp-forge/aws/releases/tag/v2.4.0

---

The fix was to test for sso_session = ... in the relevant section and then to check for sha1(session) instead of sha1(start-url), see above commit. This makes this library compatible with:

• [x] Older versions of AWS CLI
• [x] Newer versions of AWS CLI without changing the config file
• [x] Newer versions of AWS CLI when re-generating the config file from scratch

[thekid]

See https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html - the relevant section about the old versions is labelled Legacy IAM Identity Center configuration file. For the newer versions, the change is documented here:

the authentication token is cached to disk under the sso/cache directory with a filename based on the session name

According to various issues this was added in AWS CLI 2.9.0. Its ChangeLog file contains this:

enhancement:sso login: Add --sso-session argument to enable direct SSO login with a sso-session

See https://github.com/aws/aws-cli/blob/v2/CHANGELOG.rst#290