SSO credentials do not work: The security token included in the request is invalid

[Plasma]

Hi,

aws-vault works great for non-SSO credentials, but the same Access Key / Secret you grab from the SSO portal doesn't seem to work.

Is there a limitation where aws-vault does not support Access Key and Secret credentials? If there's anything I can do to provide more debug information, let me know.

• [x] I am using the latest release of AWS Vault
• [x] I have provided my .aws/config (redacted if necessary)

[profile dev]
sso_start_url=https://xxxxxxxx.awsapps.com/start
sso_region=ap-southeast-2
sso_account_id=xxxxxx
sso_role_name=xxxxxx
region=ap-southeast-2
output=json

• [x] I have provided the debug output using aws-vault --debug (redacted if necessary)

> aws-vault exec dev aws sts get-caller-identity --debug
2021/04/09 15:39:41 aws-vault v6.3.1
2021/04/09 15:39:41 Loading config file C:\Users\xxx\.aws\config
2021/04/09 15:39:41 Parsing config file C:\Users\xxx\.aws\config
2021/04/09 15:39:41 [keyring] Considering backends: [wincred]
2021/04/09 15:39:41 Profile 'default' missing in config file
2021/04/09 15:39:41 profile dev: using stored credentials
2021/04/09 15:39:41 profile dev: using GetSessionToken
2021/04/09 15:39:41 Using STS endpoint https://sts.amazonaws.com
2021/04/09 15:39:41 Looking up keyring for 'dev'
aws-vault: error: exec: Failed to get credentials for dev: InvalidClientTokenId: The security token included in the request is invalid.
     status code: 403, request id: xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx

[Plasma]

Perhaps this is not working because a temporary role credential is already provided, and ssocreds.NewCredentialsWithClient may need to be used to get the token? I'm not familiar enough with the code paths but I see this method in aws-sdk-go.

[rykersecure]

Was getting this same error when trying to use aws-vault with sso. aws-vault: error: exec: Failed to get credentials for development: InvalidClientTokenId: The security token included in the request is invalid.

[hiago-miguel]

Hey,

I had the same problem this week. But now is working! Steps:

1. I removed the existing SSO profiles, aws-vault remove $PROFILE_NAME
2. In sequence, I added the SSO config in the ~/.aws/config file.

[profile dev]
sso_start_url=https://xxxxxxxx.awsapps.com/start
sso_region=ap-southeast-2
sso_account_id=xxxxxx
sso_role_name=xxxxxx
region=ap-southeast-2
output=json

3. Since aws-vault reads the config file, the profile is listed when aws-vault list is executed
4. Then, I ran the login command to test, aws-vault login $PROFILE_NAME

And it worked! 🎉

---

When running the aws-vault add $PROFILE_NAME command, I noticed the profile was added with the Credentials filled. And then, when trying the aws-vault exec... --debug the OIDC was not being called.... Then I decided to do the steps above.

Now, when I run the aws-vault list the Credentials are not filled, and all works fine.

~ » aws-vault list                                                                                                                                                                       130 ↵ hiago@gurren-lagann
Profile                  Credentials              Sessions                                     
=======                  ===========              ========                                     
abc                      -                        -                                            
def                      -                        -                                            
 

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[mtibben]

I believe this should be fixed by #1052