aws-toolkit-vscode icon indicating copy to clipboard operation
aws-toolkit-vscode copied to clipboard
verified publisher icon aws

Error: Unable to authenticate connection for profiles with source_profile in config for AWS Toolkit `>= 3.47.0`

Open budaesandrei opened this issue 9 months ago • 4 comments

Problem

In my company we have a setup where we have a landing profile in one account then a switch profile to a different account. My .aws/config looks something like this

[sso-session aws1_session]
sso_start_url = https://{domain}.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access

[profile Landing]
sso_session = aws1_session
sso_account_id = {landing_account_id}
sso_role_name = Landing
region = us-east-1
output = json

[profile dev]
output = json
region = us-east-1
role_arn = arn:aws:iam::{dev_account_id}:role/dev
source_profile = Landing

Up to and including version 3.46.0, if I wanted to switch to profile dev I didn't have any problem. But from version 3.47.0 onwards I get this error

[info] auth: Updating connection state of profile:dev to authenticating
[info] auth: Handling validation error of connection: profile:dev
[info] auth: Updating connection state of profile:dev to invalid
[error] _aws.toolkit.auth.reauthenticate: Error: Unable to authenticate connection
   -> InvalidClientTokenId: The security token included in the request is invalid. (statusCode: 403; requestId: 00000000-0000-0000-0000-000000000000)

I need to mention I can switch to the Landing profile with no issues though. Also, if I install version 3.46.0 I can also switch into the dev profile with no issues. This happens for any with version >= 3.47.0

Steps to reproduce the issue

  1. Go to Extensions in VSCode
  2. Search for AWS Toolkit
  3. Uninstall if already installed
  4. Click the gear icon and Install Specific Version
  5. Select any >= 3.47.0
  6. Edit your .aws/config file to include a profile that uses a switch role
  7. Sign in using aws sso login
  8. In VSCode try to switch into the chained profile

Expected behavior

  1. There should be no error
  2. AWS Explorer should show Connected with profile:dev

System details (run AWS: About and/or Amazon Q: About)

  • OS: Windows_NT x64 10.0.22621
  • Visual Studio Code extension host: 1.98.2
  • AWS Toolkit version: >= 3.47.0
  • node: 20.18.2
  • electron: 34.2.0

budaesandrei avatar Apr 01 '25 15:04 budaesandrei

Seems to be a regression, and we are affected by this as well.

Earlier issue: https://github.com/aws/aws-toolkit-vscode/issues/1740

awsiv avatar Apr 08 '25 12:04 awsiv

Same here.

curator avatar Apr 10 '25 02:04 curator

We are pinning 3.46.0 as a workaround.

acleaves-gresham avatar Apr 23 '25 08:04 acleaves-gresham

We hit the same issue the downgrade to 3.46.0 worked.

@acleaves-gresham - Thanks for the suggestion!

Spoonsk avatar Jun 05 '25 19:06 Spoonsk

This is blocking the ability to list sagemaker Apps (only available in newer versions of toolkit) for those orgs that only allow connection through assumed roles.

jpmorris avatar Jul 22 '25 18:07 jpmorris