aws-sdk-java icon indicating copy to clipboard operation
aws-sdk-java copied to clipboard
verified publisher icon aws

Valid SSO credentials aren't accepted by client

Open micah-press opened this issue 2 years ago • 7 comments

Describe the bug

I'm attempting to use the v1 and v2 Java AWS SDKs side by side. I'd like to support loading SSO credentials and use them to initialize v1 client objects. When I try to do this with a client (S3 in this case), I get an exception:

com.amazonaws.services.s3.model.AmazonS3Exception: The AWS Access Key Id you provided does not exist in our records. (Service: Amazon S3; Status Code: 403; Error Code: InvalidAccessKeyId; Request ID: <omitted>; S3 Extended Request ID: <omitted>; Proxy: null), S3 Extended Request ID: <omitted>

However, if I set up a profile using the Access Key, Secret Key, and Session Token generated from the SSO credentials, I'm able to authenticate successfully through the AWS CLI.

Expected Behavior

If I can generate a valid Access Key and Secret Key from a set of credentials, I should be able to initialize a client and make calls with it.

Current Behavior

The client rejects the Access Key ID, saying it doesn't exist on the backend.

Reproduction Steps

I've got an SSCCE at https://github.com/micah-press/aws-sdk-sscce.

Possible Solution

No response

Additional Information/Context

I wrote some shims/wrappers to implement the v1 credentials and providers interfaces using v2 objects. They're contained in the repo linked above.

AWS Java SDK version used

1.12.332 and 2.20.12

JDK version used

openjdk version "11.0.18" 2023-01-17

Operating System and version

Ubuntu 20.04.5 LTS

micah-press avatar Mar 01 '23 23:03 micah-press

Hi @micah-press sorry for the delay in response.

Are the SSO credentials set in the default profile? If it is, it's indeed weird that V2ProfileCredentialsProvider is not picking them up.

Can you show the format of your sso credentials in your profile file? Please redact the real values, I'm only interested in the attribute names to see if I can recreate them for my local tests.

debora-ito avatar Apr 05 '23 23:04 debora-ito

Are the SSO credentials set in the default profile? If it is, it's indeed weird that V2ProfileCredentialsProvider is not picking them up.

Yep, I've been running aws sso login using the default profile to generate credentials.

Can you show the format of your sso credentials in your profile file? Please redact the real values, I'm only interested in the attribute names to see if I can recreate them for my local tests.

Do you mean my config file or my SSO credentials cache file?

micah-press avatar Apr 06 '23 15:04 micah-press

The config file.

debora-ito avatar Apr 06 '23 16:04 debora-ito

The config file.

All our profiles look like this:

[<profile name>]
region = ...
output = ...
sso_start_url = ...
sso_region = ...
sso_account_id = ...
sso_role_name = ...

micah-press avatar Apr 10 '23 21:04 micah-press

Any other information I can provide?

micah-press avatar May 03 '23 19:05 micah-press

Please keep us posted if anyone found a workaround or solution to this.

munusamyminnelperumal-rfk avatar Jun 07 '23 02:06 munusamyminnelperumal-rfk

Is there anything else I can help with?

micah-press avatar Oct 30 '23 21:10 micah-press

@micah-press I'm so sorry, I missed the fact that v1 does not offer native support for SSO, this was previously reported here: #2434.

See my comment in that referenced issue that shows how to use v2 SsoCredentialsProvider in a v1 project.

debora-ito avatar Jul 15 '24 21:07 debora-ito