Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error refreshing AWS IAM Identity Center token #736

Open
dannysteenman opened this issue Aug 15, 2024 · 2 comments
Open

Error refreshing AWS IAM Identity Center token #736

dannysteenman opened this issue Aug 15, 2024 · 2 comments

Comments

@dannysteenman
Copy link

dannysteenman commented Aug 15, 2024
edited
Loading

I'm getting the following error when assuming a role where the cache of the sso session is expired:

[15-08-2024 19:10:26] [INFO] Assuming role: Website/AdministratorAccess

[✘] error refreshing AWS IAM Identity Center token: operation error SSO OIDC: CreateToken, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Post "https://oidc.eu-west-1.amazonaws.com/token": tls: failed to verify certificate: x509: certificate is valid for *.webio.com, not oidc.eu-west-1.amazonaws.com

then I need to reload my terminal and this happens when assuming the role:

[15-08-2024 19:10:40] [INFO] Assuming role: Website/AdministratorAccess
[✘] error refreshing AWS IAM Identity Center token: operation error SSO OIDC: CreateToken, https response error StatusCode: 400, RequestID: b380066b-4c50-4560-aaa8-9cad12eec5fb, InvalidGrantException:
[i] If the browser does not open automatically, please open this link: https://device.sso.eu-west-1.amazonaws.com/?user_code=TMWD-JPNH
[i] Awaiting AWS authentication in the browser
[i] You will be prompted to authenticate with AWS in the browser, then you will be prompted to 'Allow'
[i] Code: TMWD-JPNH

then I can sign into sso and it works again.



For debuggin purpose I ran the granted docter command:


❯ granted doctor

[i] Checking your Granted and AWS local configurations to look for common issues...


? Please select the profile you would like to assume: Website/AdministratorAccess
[i] profile selected: Website/AdministratorAccess

[i] profile SSO start URL: https://d-<replaced>.awsapps.com/start

[i] profile region:

[i] Granted doctor will now check the default sso token cache (`~/.aws/sso/cache`), Granted secure storage, and the AWS credentials file to valiate cached tokens.

[i] Checking all cached credentials in `/.aws/sso/cache`

[i] No valid cached credentials found in `/.aws/sso/cache`

[i] Checking all cached tokens in secure storage


[✔] [VALID] Credentials found for  are still valid
[!] [INFO] no cached tokens in secure storage found

[i] Checking commonly found issues in Granted configuration

[!] [INFO] DefaultExportAllEnvVar set to true. Automatic credential renewal is disabled.

[✔] Granted Doctor has completed, see diagnostics above

these are my granted settings:

SETTING                      	VALUE
update-checker-api-url       	update.api.granted.dev:443

Keyring                      	map[Backend:0x1400011f8b0 FileDir:<nil> KeychainName:<nil> LibSecretCollectionName:<nil>]

DefaultExportAllEnvVar       	true

ProfileRegistryURLS          	[]

CommonFateDefaultSSORegion

ProfileRegistry              	map[PrefixAllProfiles:false PrefixDuplicateProfiles:false Registries:[] RequiredKeys:map[] SessionName: Variables:map[]]

DefaultBrowser               	FIREFOX

CustomSSOBrowserPath         	/opt/homebrew/bin/firefox

CommonFateDefaultSSOStartURL

AccessRequestURL

CustomBrowserPath            	/opt/homebrew/bin/firefox

Ordering                     	Frecency

ExportSSOToken               	false

DisableCredentialProcessCache	false

CredentialProcessAutoLogin   	true

SSO                          	map[]

ExportCredentialSuffix

ExportCredsToAWS             	false

DisableUsageTips             	true

this is the aws config profile:

[profile Website/AdministratorAccess]
granted_sso_start_url      = https://d-<replaced>.awsapps.com/start
granted_sso_region         = eu-west-1
granted_sso_account_id     = 123456789012
granted_sso_role_name      = AdministratorAccess
granted_sso_registration_scopes = sso:account:access
credential_process         = granted credential-process --profile Website/AdministratorAccess

Did I mess something up in my settings or is it a bug?
@dannysteenman dannysteenman changed the title error refreshing AWS IAM Identity Center token Error refreshing AWS IAM Identity Center token Aug 15, 2024
@shwethaumashanker
Copy link
Contributor

@dannysteenman Can you please try running granted settings set -s=CredentialProcessAutoLogin --value true, let us know if that fixes it for you

@dannysteenman
Copy link
Author

@dannysteenman Can you please try running granted settings set -s=CredentialProcessAutoLogin --value true, let us know if that fixes it for you

Thanks for your quick response, as you can see in my granted settings it was already enabled:

CredentialProcessAutoLogin   	true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dannysteenman @shwethaumashanker