aws-cli
aws-cli copied to clipboard
aws
credential_process doesn't work for federated roles
Confirm by changing [ ] to [x] below to ensure that it's a bug:
- [ x ] I've gone though the User Guide and the API reference
- [ x ] I've searched for previous similar issues and didn't find any solution
Describe the bug It's impossible to use credential_process with federated credentials without manually editing the credentials file every time I want to use the cli.
I use federated roles. Federated roles require constant updating of STS tokens. I have profile [profile user] and federated creds under [user]. I have an internal tool which updates creds for me. It's also a daemon so you run tool& and it will refresh them for you.
If I completely delete [user] in .aws/credentials, the credential_process will execute because the CLI looks for creds in this order:
2020-04-03 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2020-04-03 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2020-04-03 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2020-04-03 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
If it finds no creds, it will run credential_process. But if it DOES, and those creds are invalid, it just fails and says "invalid creds" instead of running credential_process again.
SDK version number aws-cli/1.18.36 botocore/1.15.36
Platform/OS/Hardware/Device What are you running the cli on? Python/3.7.5 Darwin/18.7.0
To Reproduce (observed behavior)
- Get temp federated credentials
- run cli command, eg
aws s3 ls - invalidate the session token by changing some letters
- run cli command, eg
aws s3 ls
It will fail instead of re-running the credential_process.
Expected behavior CLI should re-run the credential_process if session tokens are expired or invalid
Logs/output
Get full traceback and error logs by adding --debug to the command.
...
2020-04-03 14:22:24,020 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2020-04-03 14:22:24,020 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2020-04-03 14:22:24,020 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2020-04-03 14:22:24,020 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2020-04-03 14:22:24,021 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
...
2020-04-03 14:22:24,149 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amz-request-id': '6E9775F8FE088D43', 'x-amz-id-2': '123456789', 'Content-Type': 'application/xml', 'Transfer-Encoding': 'chunked', 'Date': 'Fri, 03 Apr 2020 21:22:23 GMT', 'Connection': 'close', 'Server': 'AmazonS3'}
2020-04-03 14:22:24,149 - MainThread - botocore.parsers - DEBUG - Response body:
b'<?xml version="1.0" encoding="UTF-8"?>\n<Error><Code>InvalidToken</Code><Message>The provided token is malformed or otherwise invalid.</Message><Token-0>IQo...asdfasdfasdfasdf....UE=</Token-0><RequestId>123456789</RequestId><HostId>123456789</HostId></Error>'
2020-04-03 14:22:24,150 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.ListBuckets: calling handler <botocore.retryhandler.RetryHandler object at 0x109e2e410>
2020-04-03 14:22:24,150 - MainThread - botocore.retryhandler - DEBUG - No retry needed.
2020-04-03 14:22:24,150 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.ListBuckets: calling handler <bound method S3RegionRedirector.redirect_from_error of <botocore.utils.S3RegionRedirector object at 0x109e2e110>>
2020-04-03 14:22:24,150 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.ListBuckets: calling handler <function enhance_error_msg at 0x10b418200>
2020-04-03 14:22:24,152 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
File "/user/Library/Python/3.7/lib/python/site-packages/awscli/clidriver.py", line 217, in main
return command_table[parsed_args.command](remaining, parsed_args)
File "/user/Library/Python/3.7/lib/python/site-packages/awscli/customizations/commands.py", line 190, in __call__
parsed_globals)
File "/user/Library/Python/3.7/lib/python/site-packages/awscli/customizations/commands.py", line 187, in __call__
return self._run_main(parsed_args, parsed_globals)
File "/user/Library/Python/3.7/lib/python/site-packages/awscli/customizations/s3/subcommands.py", line 478, in _run_main
self._list_all_buckets()
File "/user/Library/Python/3.7/lib/python/site-packages/awscli/customizations/s3/subcommands.py", line 543, in _list_all_buckets
response_data = self.client.list_buckets()
File "/user/Library/Python/3.7/lib/python/site-packages/botocore/client.py", line 316, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/user/Library/Python/3.7/lib/python/site-packages/botocore/client.py", line 626, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidToken) when calling the ListBuckets operation: The provided token is malformed or otherwise invalid.
2020-04-03 14:22:24,153 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255
An error occurred (InvalidToken) when calling the ListBuckets operation: The provided token is malformed or otherwise invalid.
Additional context Add any other context about the problem here.
hi @clhefton ,
thanks for pointing this out, I'll need a bit more help from you because it's hard for me to test this but, could you try adding the profile name and using a region dependent service like:
aws dynamodb list-tables --profile user
I'm expecting this to have the same behavior, but want to be sure before I go further into this.
I do get the same error.
Also, I have verified that the script I have for "credential_process" (/usr/local/bin/getcreds) does work if run on its own outside the context of the CLI. So the only issue is re-running it upon finding expired tokens
What is the format of the getcreds output? The process creds expect an expiry time, if the creds are present and not expired the CLI will assume they are valid and try to use them. You didn't mention that they were expired or not, just that they were invalid, in which case the CLI behavior seems correct to me unless I am misunderstanding the scenario.
Can you provide a full sanitized version of your config file with the profiles you metnioned, as well as provide the output format of the process called by the process provider.
IMO, it's not "correct" if it doesn't find new creds for you if the ones you have don't work. That's what credential_process is for. But I tested that it doesn't work on legitimately expired creds either; here are some screenshots. It shows last written date to ~/.aws/credentials yesterday, shows creds existing under my profile, and shows the "expired token" error when running a command.
As for the getcreds question, it does the following: starts a daemon that updates the ~/.aws/credentials file, sleep(5) to give the daemon time to update the first time, pull the new creds from credentials, output them again in correct JSON format so credential_process doesn't error out.
I.e.,
[profile]
credential_helper=/bin/getcreds
-> call getcreds, which:
->starts my_daemon
->reads updated credentials file
->outputs correct json based on values above
-> reads JSON from get_creds (or should)
But it never reaches step 1, which is calling getcreds
Hi, any progress on this issue as I'm getting exactly the same issue using gsts? I need to delete the credentials from the credential file before it updates them. Thanks
Also having the same/similar issue. Version: aws-cli/2.2.2 Python/3.8.8 Windows/10 exe/AMD64 prompt/off
Steps to reproduce
- delete .aws\credentials file
- run aws command. for example aws sts get-caller-identity --profile
- Credentials file gets populated and the command succeeds
- Wait for credentials to expire (1hr)
- run aws command again. Error output: An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired
- Expected action: awscli recognizes the expired credentials and continues down its process to find valid credentails. In this case, it tries credential_process to refresh the credentials.
In my .aws/config, I am using credential_process. Upon login the credentials are place in .aws/credentials file. When the AWS command finds the credentials, it doesn't check the aws_expiration value to verify the credential is still valid. It just uses the credential. It should the logic in botocore.credential be to check if the credentials are expired at this step and if so, call the credential_process again. 2021-05-07 12:45:19,138 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role 2021-05-07 12:45:19,138 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity 2021-05-07 12:45:19,138 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso 2021-05-07 12:45:19,138 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file 2021-05-07 12:45:19,138 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials 2021-05-07 12:45:19,138 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\botocore\data\endpoints.json
In contrast, when the credentials don't exist, you see after "Looking for credentials via: shared-credentials-file", it tries custom-process. This is shown in this snippet with no credentials file. 2021-05-07 13:08:01,765 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role 2021-05-07 13:08:01,765 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity 2021-05-07 13:08:01,775 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso 2021-05-07 13:08:01,775 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file 2021-05-07 13:08:01,775 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: custom-process
Here's the full debug log with expired credentials. H:>aws sts get-caller-identity --profile legacy --debug 2021-05-07 12:45:18,349 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.2.2 Python/3.8.8 Windows/10 exe/AMD64 2021-05-07 12:45:18,364 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['sts', 'get-caller-identity', '--profile', 'legacy', '--debug'] 2021-05-07 12:45:18,549 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_s3 at 0x000001E98B4ED430> 2021-05-07 12:45:18,549 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_ddb at 0x000001E98B35E1F0> 2021-05-07 12:45:18,549 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.configure.configure.ConfigureCommand'>> 2021-05-07 12:45:18,549 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x000001E98B302940> 2021-05-07 12:45:18,549 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x000001E98B309A60> 2021-05-07 12:45:18,549 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function alias_opsworks_cm at 0x000001E98B52CE50> 2021-05-07 12:45:18,549 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_history_commands at 0x000001E98B3A9040> 2021-05-07 12:45:18,549 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.devcommands.CLIDevCommand'>> 2021-05-07 12:45:18,549 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_waiters at 0x000001E98B52C0D0> 2021-05-07 12:45:18,549 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\data\cli.json 2021-05-07 12:45:18,565 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_types at 0x000001E98B45B040> 2021-05-07 12:45:18,565 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function no_sign_request at 0x000001E98B45BB80> 2021-05-07 12:45:18,565 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_verify_ssl at 0x000001E98B45BAF0> 2021-05-07 12:45:18,565 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_read_timeout at 0x000001E98B45BCA0> 2021-05-07 12:45:18,565 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_connect_timeout at 0x000001E98B45BC10> 2021-05-07 12:45:18,565 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <built-in method update of dict object at 0x000001E98B5C5680> 2021-05-07 12:45:18,565 - MainThread - botocore.session - DEBUG - Setting config variable for profile to 'legacy' 2021-05-07 12:45:18,565 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.2.2 Python/3.8.8 Windows/10 exe/AMD64 prompt/off 2021-05-07 12:45:18,565 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['sts', 'get-caller-identity', '--profile', 'legacy', '--debug'] 2021-05-07 12:45:18,565 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x000001E98B4EDA60> 2021-05-07 12:45:18,565 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x000001E98A89F280> 2021-05-07 12:45:18,565 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x000001E98B5878B0> 2021-05-07 12:45:18,565 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x000001E98A898670> 2021-05-07 12:45:18,565 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x000001E98A901EE0> 2021-05-07 12:45:18,565 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/ 2021-05-07 12:45:18,565 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set. 2021-05-07 12:45:18,565 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x000001E98B3A4EE0> 2021-05-07 12:45:18,565 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x000001E98B35B0D0> 2021-05-07 12:45:18,756 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\botocore\data\sts\2011-06-15\service-2.json 2021-05-07 12:45:18,764 - MainThread - botocore.hooks - DEBUG - Event building-command-table.sts: calling handler <function add_waiters at 0x000001E98B52C0D0> 2021-05-07 12:45:18,937 - MainThread - awscli.clidriver - DEBUG - OrderedDict() 2021-05-07 12:45:18,937 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.sts.get-caller-identity: calling handler <function add_streaming_output_arg at 0x000001E98B522040> 2021-05-07 12:45:18,937 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.sts.get-caller-identity: calling handler <function add_cli_input_json at 0x000001E98A90C790> 2021-05-07 12:45:18,937 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.sts.get-caller-identity: calling handler <function add_cli_input_yaml at 0x000001E98A90CA60> 2021-05-07 12:45:18,937 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.sts.get-caller-identity: calling handler <function unify_paging_params at 0x000001E98B35E820> 2021-05-07 12:45:19,122 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\botocore\data\sts\2011-06-15\paginators-1.json 2021-05-07 12:45:19,122 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.sts.get-caller-identity: calling handler <function add_generate_skeleton at 0x000001E98B4515E0> 2021-05-07 12:45:19,122 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.sts.get-caller-identity: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinput.CliInputJSONArgument object at 0x000001E98B602190>> 2021-05-07 12:45:19,122 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.sts.get-caller-identity: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinput.CliInputYAMLArgument object at 0x000001E98B6021C0>> 2021-05-07 12:45:19,122 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.sts.get-caller-identity: calling handler <bound method GenerateCliSkeletonArgument.override_required_args of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x000001E98B65B220>> 2021-05-07 12:45:19,122 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.sts.get-caller-identity.cli-input-json: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001E98B5F52E0> 2021-05-07 12:45:19,122 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.sts.get-caller-identity.cli-input-yaml: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001E98B5F52E0> 2021-05-07 12:45:19,122 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.sts.get-caller-identity.generate-cli-skeleton: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001E98B5F52E0> 2021-05-07 12:45:19,138 - MainThread - botocore.hooks - DEBUG - Event calling-command.sts.get-caller-identity: calling handler <bound method CliInputArgument.add_to_call_parameters of <awscli.customizations.cliinput.CliInputJSONArgument object at 0x000001E98B602190>> 2021-05-07 12:45:19,138 - MainThread - botocore.hooks - DEBUG - Event calling-command.sts.get-caller-identity: calling handler <bound method CliInputArgument.add_to_call_parameters of <awscli.customizations.cliinput.CliInputYAMLArgument object at 0x000001E98B6021C0>> 2021-05-07 12:45:19,138 - MainThread - botocore.hooks - DEBUG - Event calling-command.sts.get-caller-identity: calling handler <bound method GenerateCliSkeletonArgument.generate_skeleton of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x000001E98B65B220>> 2021-05-07 12:45:19,138 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role 2021-05-07 12:45:19,138 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity 2021-05-07 12:45:19,138 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso 2021-05-07 12:45:19,138 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file 2021-05-07 12:45:19,138 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials 2021-05-07 12:45:19,138 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\botocore\data\endpoints.json 2021-05-07 12:45:19,138 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x000001E98A0C0040> 2021-05-07 12:45:19,138 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.sts: calling handler <function add_generate_presigned_url at 0x000001E98A0533A0> 2021-05-07 12:45:19,138 - MainThread - botocore.endpoint - DEBUG - Setting sts timeout as (60, 60) 2021-05-07 12:45:19,138 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.sts.GetCallerIdentity: calling handler <function base64_decode_input_blobs at 0x000001E98B58A040> 2021-05-07 12:45:19,138 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.sts.GetCallerIdentity: calling handler <function generate_idempotent_uuid at 0x000001E98A0D3040> 2021-05-07 12:45:19,138 - MainThread - botocore.hooks - DEBUG - Event before-call.sts.GetCallerIdentity: calling handler <function inject_api_version_header_if_needed at 0x000001E98A0D48B0> 2021-05-07 12:45:19,138 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=GetCallerIdentity) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': 'aws-cli/2.2.2 Python/3.8.8 Windows/10 exe/AMD64 prompt/off command/sts.get-caller-identity'}, 'body': {'Action': 'GetCallerIdentity', 'Version': '2011-06-15'}, 'url': 'https://sts.us-east-1.amazonaws.com/', 'context': {'client_region': 'us-east-1', 'client_config': <botocore.config.Config object at 0x000001E98B65BAC0>, 'has_streaming_input': False, 'auth_type': None}} 2021-05-07 12:45:19,153 - MainThread - botocore.hooks - DEBUG - Event request-created.sts.GetCallerIdentity: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x000001E98B65BB80>> 2021-05-07 12:45:19,153 - MainThread - botocore.hooks - DEBUG - Event choose-signer.sts.GetCallerIdentity: calling handler <function set_operation_specific_signer at 0x000001E98A0CEEE0> 2021-05-07 12:45:19,153 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth. 2021-05-07 12:45:19,153 - MainThread - botocore.auth - DEBUG - CanonicalRequest: POST /
content-type:application/x-www-form-urlencoded; charset=utf-8
host:sts.us-east-1.amazonaws.com
x-amz-date:20210507T164519Z
x-amz-security-token:"
content-type;host;x-amz-date;x-amz-security-token
An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired
I'm also running into this same issue, I'm using saml2aws as the credential-process config
[profile acc-name-Admin]
region = ap-southeast-2
credential_process = saml2aws login --profile=acc-name-Admin --role=arn:aws:iam::XXXXX:role/Admin --credential-process --skip-prompt
When the session expires I was expecting that it would re-invoke the credential_process command but instead I get the following
$ aws s3 ls
An error occurred (ExpiredToken) when calling the ListBuckets operation: The provided token has expired.
When I delete the ~/.aws/credentials file and then re-run aws s3 ls it does re-trigger the credential_process command and list out the s3 buckets in the account
My AWS CLI Version from aws --version is:
aws-cli/2.1.35 Python/3.8.8 Darwin/20.4.0 exe/x86_64 prompt/off
Glad to find this thread! We are running into the exact same issue. If the aws_session_expiration is past the expiration date, it'll throw the The security token included in the request is expired error, which makes perfect sense.
However, one would expect the credential_process to then be invoked to generate new credentials. The current workaround is to copy/paste the contents of credential_process and run the command manually.
I think there is enough debug information in this thread to make a case, but happy to provide any additional logs.
$ aws --version
aws-cli/2.4.22 Python/3.9.10 Darwin/20.6.0 source/x86_64 prompt/off
$ cat ~/.aws/config
[profile heydonovan]
credential_process = gsts --idp-id=REDACTED --sp-id=REDACTED --aws-profile=heydonovan --aws-role-arn=arn:aws:iam::REDACTED:role/REDACTED --json
output = json
region = us-east-1
[profile test123]
credential_process = gsts --idp-id=REDACTED --sp-id=REDACTED --aws-profile=test123 --aws-role-arn=arn:aws:iam::REDACTED:role/REDACTED --json
output = json
region = us-east-1
$ cat ~/.aws/credentials
[heydonovan]
aws_access_key_id=REDACTED
aws_role_arn=arn:aws:iam::REDACTED:role/REDACTED
aws_secret_access_key=REDACTED
aws_session_expiration=2022-03-02T05:58:20.000Z
aws_session_token="REDACTED"
[test123]
aws_access_key_id=REDACTED
aws_role_arn=arn:aws:iam::REDACTED:role/REDACTED
aws_secret_access_key=REDACTED
aws_session_expiration=2022-03-03T04:48:11.000Z
aws_session_token="REDACTED"
$ aws sts get-caller-identity --profile heydonovan
An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired
$ aws sts get-caller-identity --profile test123
{
"UserId": "REDACTED:REDACTED",
"Account": "REDACTED",
"Arn": "arn:aws:sts::REDACED:assumed-role/REDACTED/REDACTED"
}
I was faced with the same issue. Moreover, I'd tried to solve it by using another credential file, but it didn't help.
credential_process doesn't take into account token expiration.
@heydonovan I think that config is invalid... credential_process is expected to output the credential as json, but your setup has the temporary credential defined in ~/.aws/credentials. That location takes precedence over the credential_process defined in ~/.aws/config, so once the expiration is reached there is nothing to refresh the credential since the credential_process will not execute due to the defined credentials in ~/.aws/credentials.
I am guessing that gsts is actually both writing the temporary credential to ~/.aws/credentials and also outputting the credential object as json? If it has an option to disabling writing to ~/.aws/credentials, then this will probably work fine for you.
@lorengordon gsts author here — that's exactly what's happening. I'll see what I can do to better support this use case.
So this is by design and an issue with saml2aws? Solution is to change where the aws credentials are stored by saml2aws like this? (will confirm)
credential_process = saml2aws login -a saml --skip-prompt --quiet --credential-process --role arn:aws:iam::01234555654:role/my-role-read --region us-east-1 --profile dev --credentials-file=~/.aws/saml2aws.creds
