Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SDK not finding the cached SSO token file #2241

Closed
jwechsler10 opened this issue Aug 16, 2023 · 12 comments
Closed

SDK not finding the cached SSO token file #2241

jwechsler10 opened this issue Aug 16, 2023 · 12 comments
Assignees
Labels
bug This issue is a bug. p2 This is a standard priority issue response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@jwechsler10
Copy link

Describe the bug

When trying to use an AWS profile with AWS IAM Identity Center, the SDK is unable to find the cached SSO token file with the cached credentials.

Expected Behavior

I would expect that the SDK is able to use the SSO profile I have configured and find the cached credentials and use them to make a request.

Current Behavior

operation error IAM: ListGroups, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, failed to read cached SSO token file, open ~/.aws/sso/cache/9ed037b84943c4caa3a520e48a5540181c46c98c.json: no such file or directory

Reproduction Steps

package main

import (
	"context"
	"fmt"

	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/service/iam"
)

func main() {
	cfg, err := config.LoadDefaultConfig(context.Background(),
		config.WithSharedConfigProfile("sandbox"),
	)
	if err != nil {
		fmt.Println("could not start session")
		fmt.Println(err)
	}

	svc := iam.NewFromConfig(cfg)

	result, err := svc.ListGroups(context.TODO(), &iam.ListGroupsInput{})

	if err != nil {
		fmt.Println(err)
	}

	fmt.Println(result)
}

Possible Solution

No response

Additional Information/Context

I have always made sure to run aws sso login before running my script to make sure my credentials are valid.

My aws config file is setup as follows, redacting the real start URL, role names and account numbers:

[default]
sso_start_url = mystarturl
sso_region = us-east-1
sso_account_id = 1234567890
sso_role_name = MyRoleName
region = us-east-1

[profile sandbox]
sso_account_id = 2345678901
sso_role_name = MyRoleName
sso_session = sandbox
region = us-east-1
sso_start_url = mystarturl
sso_region = us-east-1

[sso-session sandbox]
sso_start_url = mystarturl
sso_region = us-east-1
sso_registration_scopes = sso:account:access

I have tried the following:

running aws sso login
running rm -rf ~/.aws/sso/cache and then running aws --profile sandbox sso login

I have verified that the default profile is working as expected as that my token file is at ~/.aws/sso/cache/e3149f93119ef3ca1319b67a45b4c0563fc79ab5.json

AWS Go SDK V2 Module Versions Used

github.com/aws/aws-sdk-go-v2/config v1.18.33
github.com/aws/aws-sdk-go-v2/service/iam v1.22.2

Compiler and Version used

go version go1.20.7 darwin/arm64

Operating System and version

MacOS 13.5

@jwechsler10 jwechsler10 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 16, 2023
@lucix-aws
Copy link
Contributor

@jwechsler10 --

Sorry for the late response - are you still having this issue?

@lucix-aws lucix-aws added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Sep 11, 2023
@jwechsler10
Copy link
Author

Yes, I am.

@lucix-aws lucix-aws added needs-triage This issue or PR still needs to be triaged. and removed response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels Sep 11, 2023
@RanVaknin RanVaknin assigned RanVaknin and unassigned ajredniwja Oct 16, 2023
@RanVaknin RanVaknin added the p2 This is a standard priority issue label Oct 16, 2023
@jdeng
Copy link

jdeng commented Nov 1, 2023

The issue seems to be in credentials/ssocreds/provider.go

getChacheFileName is using hash value of startURL as the name while it seems like the names of the actual files are using some other convention.

func loadTokenFile(startURL string) (t token, err error) {
	key, err := getCacheFileName(startURL)
	if err != nil {
		return token{}, awserr.New(ErrCodeSSOProviderInvalidToken, invalidTokenMessage, err)
	}

	fileBytes, err := ioutil.ReadFile(filepath.Join(defaultCacheLocation(), key))

@nobodyme
Copy link

nobodyme commented Nov 17, 2023

I just recently faced this, for me just updating aws-cli fixed the issue.
current-version: aws-cli/2.13.36 Python/3.11.6 Darwin/22.6.0 exe/x86_64

@brunetto
Copy link

Hi,
I'm still facing this problem even with

  • awscli 2.13.38
  • python 3.11.6

I'm getting

  • not found, ResolveEndpointV2 from sts.GetCallerIdentity and
  • operation error ECS: ListClusters, get identity: get credentials: failed to refresh cached credentials, the SSO session has expired or is invalid: failed to read cached SSO token file, open /Users/bmz/.aws/sso/cache/788884265b3a819a27958949fded56a8894f083c.json: no such file or directory from ecs.ListClusters

The aws config is

[profile profile_name]
sso_session = profile_name
sso_account_id = <number>
sso_role_name = ReadOnly
sso_region = eu-west-1
sso_start_url = <url>

[sso-session profile_name]
sso_start_url = <url>
sso_region = eu-west-1
sso_registration_scopes = sso:account:access

If I remove the duplicated lines in the config file like that

[profile profile_name]
sso_session = profile_name
sso_account_id = <number>
sso_role_name = ReadOnly

[sso-session profile_name]
sso_start_url = <url>
sso_region = eu-west-1
sso_registration_scopes = sso:account:access

I get profile "profile_name" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

The test code is

package main

import (
	"context"
	"fmt"
	"log"
	"os"

	"github.com/aws/aws-sdk-go-v2/aws"
	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/service/ecs"
)

func main() {
		opts := []func(*config.LoadOptions) error{
		config.WithRegion(("eu-west-1")),
		config.WithSharedConfigProfile("profile_name"),
		config.WithRetryer(func() aws.Retryer { return aws.NopRetryer{} }),
	}

	cfg, err := config.LoadDefaultConfig(context.Background(), opts...)
	if err != nil {
		log.Fatal(err)
	}

	
	err = os.Setenv("AWS_SDK_LOAD_CONFIG", "1")
	if err != nil {
		log.Fatal(err)
	}
	
	err = os.Setenv("AWS_PROFILE", "profile_name")
	if err != nil {
		log.Fatal(err)
	}

	ctx := context.Background()

	stssvc := sts.NewFromConfig(cfg)
	identity, err := stssvc.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
	if err != nil {
		log.Fatal(err)
	}

	fmt.Println(identity)

	svc := ecs.NewFromConfig(cfg)

	var tk *string

	for {
		cs, err := svc.ListClusters(ctx, &ecs.ListClustersInput{NextToken: tk})
		if err != nil {
			log.Fatal(err)
		}

		fmt.Println(cs.ClusterArns)

		tk = cs.NextToken
		if tk == nil {
			break
		}
	}
}

Any suggestion?

@lucix-aws
Copy link
Contributor

@brunetto -- concerning "not found, ResolveEndpointV2" - see #2370

@RanVaknin
Copy link
Contributor

Hi @jwechsler10 and @jdeng, and others on the thread.

Unfortunately I'm not able to reproduce the issue. I'm able to start my sso session and use the SDK with that profile successfuly:

$ aws --version
aws-cli/2.13.38 Python/3.11.6 Darwin/22.6.0 exe/x86_64 prompt/off

$ cat config
[profile my-new-sso]
sso_session = my-new-sso-session
sso_account_id = REDACTED
sso_role_name = s3FullAccess

[sso-session my-new-sso-session]
sso_region = us-east-1
sso_start_url = https://d-REDACTED.awsapps.com/start
sso_registration_scopes = sso:account:access

$ aws sso login --profile my-new-sso        
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

REDACTED-REDACTED
Successfully logged into Start URL: https://d-REDACTED.awsapps.com/start
package main

import (
	"context"
	"fmt"
	"github.com/aws/aws-sdk-go-v2/aws"

	"github.com/aws/aws-sdk-go-v2/config" // github.com/aws/aws-sdk-go-v2/config v1.25.5
	"github.com/aws/aws-sdk-go-v2/service/s3" // github.com/aws/aws-sdk-go-v2/service/s3 v1.44.0
)

func main() {
	cfg, err := config.LoadDefaultConfig(context.Background(),
		config.WithSharedConfigProfile("my-new-sso"),
		config.WithRegion("us-east-1"),
		config.WithClientLogMode(aws.LogRequestWithBody|aws.LogResponseWithBody),
	)
	if err != nil {
		fmt.Println("Error loading configuration:", err)
		return
	}

	svc := s3.NewFromConfig(cfg)

	result, err := svc.ListBuckets(context.Background(), &s3.ListBucketsInput{})
	if err != nil {
		fmt.Println(err)
		return
	}

	fmt.Printf("there are %v buckets", len(result.Buckets))
}

The SDK is successfully pulling the SDK token. Here are the wire logs:

SDK 2023/11/26 18:53:51 DEBUG Request
GET /federation/credentials?account_id=REDACTED&role_name=s3FullAccess HTTP/1.1
Host: portal.sso.us-east-1.amazonaws.com
User-Agent: aws-sdk-go-v2/1.23.1 os/macos lang/go#1.19.1 md/GOOS#darwin md/GOARCH#arm64 api/sso#1.17.3
Amz-Sdk-Invocation-Id: 15d5e0d3-604a-49a2-9326-8f5b75ecd312
Amz-Sdk-Request: attempt=1; max=3
X-Amz-Sso_bearer_token: REDACTED
Accept-Encoding: gzip

SDK 2023/11/26 18:53:53 DEBUG Response
HTTP/2.0 200 OK
Content-Length: 1032
Access-Control-Expose-Headers: RequestId
Access-Control-Expose-Headers: x-amzn-RequestId
Cache-Control: no-cache
Content-Type: application/json
Date: Mon, 27 Nov 2023 02:53:53 GMT
Requestid: REDACTED
Server: AWS SSO
X-Amzn-Requestid: REDACTED

{"roleCredentials":{"accessKeyId":"REDACTED","secretAccessKey":"REDACTED","sessionToken":"REDACTED","expiration":1701057232000}}
SDK 2023/11/26 18:53:53 DEBUG Request
GET / HTTP/1.1
Host: s3.us-east-1.amazonaws.com
User-Agent: aws-sdk-go-v2/1.23.1 os/macos lang/go#1.19.1 md/GOOS#darwin md/GOARCH#arm64 api/s3#1.44.0
Accept-Encoding: identity
Amz-Sdk-Invocation-Id: ca024226-4f12-4af2-acde-0086b7a2b8b4
Amz-Sdk-Request: attempt=1; max=3
Authorization: AWS4-HMAC-SHA256 Credential=REDACTED/20231127/us-east-1/s3/aws4_request, SignedHeaders=accept-encoding;amz-sdk-invocation-id;host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=REDACTED
X-Amz-Content-Sha256: REDACTED
X-Amz-Date: 20231127T025353Z
X-Amz-Security-Token: REDACTED

SDK 2023/11/26 18:53:53 DEBUG Response
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Mon, 27 Nov 2023 02:53:54 GMT
Server: AmazonS3
X-Amz-Id-2: REDACTED
X-Amz-Request-Id: REDACTED

It would be helpful if one of you can look over my flow and see If I have something setup differently than you do.
You might want to try and enable the wire logger similar to what I did to try and see if there's anything helpful in there.
I would also suggest that you look at all of your versions and make sure they are all up to date.

All the best,
Ran~

@RanVaknin RanVaknin added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 27, 2023
@jeffmccune
Copy link

I've been running into this same problem. For me the fix was to remove the trailing # from the sso_start_url.

@jwechsler10
Copy link
Author

Updating the version of my AWS CLI and then running aws sso login with the profile specified solved the issue. Thanks for the help!

Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@sergio-toro
Copy link

I've been running into this same problem. For me the fix was to remove the trailing # from the sso_start_url.

This was my issue as well. It was happening with Terraform, weird that only happened when using s3 backend and not to the main provider

@kevinnoel-be
Copy link

kevinnoel-be commented Oct 1, 2024

Had this happen to me, updated the AWS CLI (aws-cli/2.17.60 -> aws-cli/2.17.62), updating go modules to latest and running again aws sso login ... solved it for me...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. p2 This is a standard priority issue response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Development

No branches or pull requests

10 participants