aws-sdk-java-v2
aws-sdk-java-v2 copied to clipboard
aws
Unable to load SSO token
Describe the bug
While connecting to AWS using SSO on sdk 2.22.13, it throws exception saying "Unable to load SSO token"
Expected Behavior
It should connect
Current Behavior
While connecting to AWS using SSO on sdk 2.22.13, it throws exception saying "Unable to load SSO token"
Reproduction Steps
POM: `<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>check</groupId>
<artifactId>aws-connect</artifactId>
<version>1.0.0</version>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<aws.java.sdk.version>2.22.13</aws.java.sdk.version>
</properties>
<dependencies>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>s3</artifactId>
<version>${aws.java.sdk.version}</version>
<exclusions>
<exclusion>
<groupId>software.amazon.awssdk</groupId>
<artifactId>netty-nio-client</artifactId>
</exclusion>
<exclusion>
<groupId>software.amazon.awssdk</groupId>
<artifactId>apache-client</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>dynamodb</artifactId>
<version>${aws.java.sdk.version}</version>
</dependency>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>sso</artifactId>
<version>${aws.java.sdk.version}</version>
</dependency>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>ssooidc</artifactId>
<version>${aws.java.sdk.version}</version>
</dependency>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>ec2</artifactId>
<version>${aws.java.sdk.version}</version>
</dependency>
</dependencies>
`
Java Class: `import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider; import software.amazon.awssdk.profiles.ProfileFileSupplier; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.ec2.Ec2Client; import software.amazon.awssdk.services.ec2.model.*; import software.amazon.awssdk.services.sso.SsoClient; import software.amazon.awssdk.services.sso.auth.SsoCredentialsProvider; import software.amazon.awssdk.services.sso.model.GetRoleCredentialsRequest;
public class Main { static Region region = Region.XX_YYYY_1;
public static void main(String[] args) {
SsoCredentialsProvider ssoCredentialsProvider = ((SsoCredentialsProvider.Builder) SsoCredentialsProvider.builder())
.ssoClient(SsoClient.builder().region(region).build())
.refreshRequest(() ->
GetRoleCredentialsRequest.builder()
.roleName("<ROLE>")
.accountId("<ACC ID>")
.accessToken("<ACCESS TOKEN>")
.build()
).build();
String name = "Sample";
String amiId = "ami-XYZ";
provider.resolveCredentials();
Ec2Client ec2 = Ec2Client.builder()
.region(region)
.credentialsProvider(ssoCredentialsProvider)
.build();
String instanceId = createEC2Instance(ec2, name, amiId);
System.out.println("The Amazon EC2 Instance ID is " + instanceId);
ec2.close();
}
public static String createEC2Instance(Ec2Client ec2, String name, String amiId) {
RunInstancesRequest runRequest = RunInstancesRequest.builder()
.imageId(amiId)
.instanceType(InstanceType.T1_MICRO)
.maxCount(1)
.minCount(1)
.build();
RunInstancesResponse response = ec2.runInstances(runRequest);
String instanceId = response.instances().get(0).instanceId();
Tag tag = Tag.builder()
.key("Name")
.value(name)
.build();
CreateTagsRequest tagRequest = CreateTagsRequest.builder()
.resources(instanceId)
.tags(tag)
.build();
try {
ec2.createTags(tagRequest);
System.out.printf("Successfully started EC2 Instance %s based on AMI %s", instanceId, amiId);
return instanceId;
} catch (Ec2Exception e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
}`
Possible Solution
No response
Additional Information/Context
No response
AWS Java SDK version used
2.22.13
JDK version used
11.0.20
Operating System and version
Windows 10 22H2
Hi @gitissuepost thank you for reaching out.
In order to troubleshoot this further, can you please provide the following:
(1) Full stacktrace showing the error "Unable to load SSO token"
(2) How the config file looks like with your sso credentials - please don't share real values of the credentials. As an example, I used this to test sso locally in my machine, and I can call RunInstances successfully:
[profile dev]
sso_session = my-sso
sso_account_id = xxx
sso_role_name = xxx
[sso-session my-sso]
sso_region = us-east-2
sso_start_url = https://xxx.awsapps.com/start
(3) Does it work if you use ProfileCredentialsProvider instead?
Ec2Client ec2 = Ec2Client.builder()
.region(region)
.credentialsProvider(ProfileCredentialsProvider.create("dev"))
.build();
@debora-ito :
Below is the stack trace
Exception in thread "main" software.amazon.awssdk.core.exception.SdkClientException: Unable to load SSO token at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:111) at software.amazon.awssdk.core.exception.SdkClientException.create(SdkClientException.java:43) at software.amazon.awssdk.services.ssooidc.SsoOidcTokenProvider.lambda$getDefaultSsoTokenRetriever$3(SsoOidcTokenProvider.java:221) at java.base/java.util.Optional.orElseThrow(Optional.java:408) at software.amazon.awssdk.services.ssooidc.SsoOidcTokenProvider.lambda$getDefaultSsoTokenRetriever$4(SsoOidcTokenProvider.java:221) at software.amazon.awssdk.awscore.internal.token.CachedTokenRefresher.refreshAndGetTokenFromSupplier(CachedTokenRefresher.java:81) at software.amazon.awssdk.awscore.internal.token.CachedTokenRefresher.refreshResult(CachedTokenRefresher.java:89) at software.amazon.awssdk.utils.cache.CachedSupplier.lambda$jitteredPrefetchValueSupplier$8(CachedSupplier.java:300) at software.amazon.awssdk.utils.cache.CachedSupplier$PrefetchStrategy.fetch(CachedSupplier.java:448) at software.amazon.awssdk.utils.cache.CachedSupplier.refreshCache(CachedSupplier.java:208) at software.amazon.awssdk.utils.cache.CachedSupplier.get(CachedSupplier.java:135) at software.amazon.awssdk.awscore.internal.token.CachedTokenRefresher.refreshIfStaleAndFetch(CachedTokenRefresher.java:76) at software.amazon.awssdk.services.ssooidc.SsoOidcTokenProvider.resolveToken(SsoOidcTokenProvider.java:96) at software.amazon.awssdk.services.ssooidc.SsoOidcProfileTokenProviderFactory$SsoOidcProfileTokenProvider.resolveToken(SsoOidcProfileTokenProviderFactory.java:148) at software.amazon.awssdk.auth.token.internal.ProfileTokenProviderLoader.lambda$ssoProfileCredentialsProvider$0(ProfileTokenProviderLoader.java:67) at software.amazon.awssdk.auth.token.credentials.ProfileTokenProvider.resolveToken(ProfileTokenProvider.java:111) at software.amazon.awssdk.auth.token.internal.LazyTokenProvider.resolveToken(LazyTokenProvider.java:45) at software.amazon.awssdk.services.sso.auth.SsoProfileCredentialsProviderFactory$SsoProfileCredentialsProvider.<init>(SsoProfileCredentialsProviderFactory.java:107) at software.amazon.awssdk.services.sso.auth.SsoProfileCredentialsProviderFactory$SsoProfileCredentialsProvider.<init>(SsoProfileCredentialsProviderFactory.java:88) at software.amazon.awssdk.services.sso.auth.SsoProfileCredentialsProviderFactory.create(SsoProfileCredentialsProviderFactory.java:68) at software.amazon.awssdk.auth.credentials.internal.ProfileCredentialsUtils.ssoProfileCredentialsProvider(ProfileCredentialsUtils.java:191) at software.amazon.awssdk.auth.credentials.internal.ProfileCredentialsUtils.credentialsProvider(ProfileCredentialsUtils.java:120) at software.amazon.awssdk.auth.credentials.internal.ProfileCredentialsUtils.credentialsProvider(ProfileCredentialsUtils.java:102) at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.lambda$createCredentialsProvider$1(ProfileCredentialsProvider.java:169) at java.base/java.util.Optional.flatMap(Optional.java:294) at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.createCredentialsProvider(ProfileCredentialsProvider.java:169) at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.handleProfileFileReload(ProfileCredentialsProvider.java:135) at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.resolveCredentials(ProfileCredentialsProvider.java:126) at software.amazon.awssdk.auth.credentials.AwsCredentialsProvider.resolveIdentity(AwsCredentialsProvider.java:54) at software.amazon.awssdk.identity.spi.IdentityProvider.resolveIdentity(IdentityProvider.java:60) at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.lambda$resolveCredentials$2(AwsCredentialsAuthorizationStrategy.java:112) at software.amazon.awssdk.core.internal.util.MetricUtils.measureDuration(MetricUtils.java:60) at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.resolveCredentials(AwsCredentialsAuthorizationStrategy.java:112) at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.addCredentialsToExecutionAttributes(AwsCredentialsAuthorizationStrategy.java:85) at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.invokeInterceptorsAndCreateExecutionContext(AwsExecutionContextBuilder.java:138) at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.invokeInterceptorsAndCreateExecutionContext(AwsSyncClientHandler.java:67) at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:76) at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:182) at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:74) at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45) at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:53) at software.amazon.awssdk.services.ec2.DefaultEc2Client.runInstances(DefaultEc2Client.java:34428) at org.example.Main.createEC2Instance(Main.java:37) at org.example.Main.main(Main.java:24)
My config file looks like below ` [sso-session dev-aws-iam] sso_start_url=https://xxxxxx-yyyyyyy.awsapps.com/start#/ sso_region=xxxxxxxxx sso_registration_scopes=sso:account:access
[profile dev-aws-iam-xxxxxxxx] sso_session=dev-aws-iam sso_account_id=xxxxxxxxxxxx sso_role_name=xxxxxxxx `
The java class as below
` import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.ec2.Ec2Client; import software.amazon.awssdk.services.ec2.model.*; public class Main { static Region region = Region.XXXXXXX; public static void main(String[] args) { String name = "Sample"; String amiId = "ami-xxxxx";
Ec2Client ec2 = Ec2Client.builder()
.region(region)
.credentialsProvider(ProfileCredentialsProvider.create("dev-aws-iam-xxxxxxxx"))
.build();
String instanceId = createEC2Instance(ec2, name, amiId);
System.out.println("The Amazon EC2 Instance ID is " + instanceId);
ec2.close();
}
public static String createEC2Instance(Ec2Client ec2, String name, String amiId) {
RunInstancesRequest runRequest = RunInstancesRequest.builder()
.imageId(amiId)
.instanceType(InstanceType.T1_MICRO)
.maxCount(1)
.minCount(1)
.build();
RunInstancesResponse response = ec2.runInstances(runRequest);
String instanceId = response.instances().get(0).instanceId();
Tag tag = Tag.builder()
.key("Name")
.value(name)
.build();
CreateTagsRequest tagRequest = CreateTagsRequest.builder()
.resources(instanceId)
.tags(tag)
.build();
try {
ec2.createTags(tagRequest);
System.out.printf("Successfully started EC2 Instance %s based on AMI %s", instanceId, amiId);
return instanceId;
} catch (Ec2Exception e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
} `