aws-toolkit-jetbrains icon indicating copy to clipboard operation
aws-toolkit-jetbrains copied to clipboard
verified publisher icon aws

Credentials (with changed MFA token) not reloaded

Open fr-an-k opened this issue 3 years ago • 4 comments

Describe the bug

I'm using credentials with MFA, updated with a token through a script (aws-mfa). Once expired, the only way to reload it is to click to edit the credentials files.

To reproduce

  1. Use IAM credentials with MFA
  2. Acquire a token and put in the credentials file (for instance using the aws-mfa python script)
  3. Wait for token to expire if there is no credential error already, then renew the token
  4. Credential error occurs (red message, no CloudWatch logs, etc)
  5. Try to refresh -> still fails
  6. Click Edit AWS Credential File(s) from the profile menu: credentials are reloaded and loading AWS resources succeeds

Expected behavior

Ideally, it would detect the change in the credential file. It should at least reload the credentials when you press on refresh, or when a credential error is encountered.

Screenshots

Your Environment

  • OS: Windows 11 + WSL2
  • JetBrains product: WebStorm
  • JetBrains product version: #WS-213.6777.57
  • AWS Toolkit version: 1.38-213
  • SAM CLI version:
  • JVM/Python version:

Additional context

fr-an-k avatar Mar 01 '22 12:03 fr-an-k

Hey @frank-unovica

I'm curious what your set-up looks like as you've mentioned WSL2. Are your credentials on the Windows filesystem or WSL? And are your projects located within WSL? One way to tell is by looking for a \\wsl$ prefix for paths in your settings.

JadenSimon avatar Apr 28 '22 20:04 JadenSimon

It's all within the default Ubuntu virtual machine, including my code.

I set my normal credentials (with aws_mfa_device) under a [default-long-term] profile and then the aws-mfa python script takes the MFA code and sets the [default] credentials with a different access key, aws session/security token and 12 hour expiration, and assumed_role = false.

I guess the plugin would have to use a file watcher or check the file modification date when the user starts interacting with the plugin, and reload it if changed.

fr-an-k avatar Apr 29 '22 04:04 fr-an-k

We actually already have a file watcher setup on the credential files: https://github.com/aws/aws-toolkit-jetbrains/blob/3e970f39482ebb3d44298ddeaeb30136fede73f9/jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/profiles/ProfileWatcher.kt#L30-L38

So we need to figure out what's happening differently on WSL2

rli avatar Apr 29 '22 20:04 rli

Maybe this helps: what I see in the AWS Explorer screen is: "Unable to connect to AWS: The security token included in the request is expired (Service: Sts, Status Code: 403, Request ID: 951.......b34)" When I press retry it gets the same error with a different request ID. When I press "edit AWS Credential file(s)" or open them through the profile selection menu, it uses the correct token and works again.

fr-an-k avatar Apr 30 '22 11:04 fr-an-k