sso credentials in cache not updated

[matschundbrei]

Hi,

I am using SSM Session Manager with KMS Encryption to access several EC2 hosts. This consistently fails when the session was created with assume:

----------ERROR-------
Encountered error while initiating handshake. KMSEncryption failed on client with status 2 error: Failed to process action KMSEncryption: Error calling KMS GenerateDataKey API: SSOProviderInvalidToken: the SSO session has expired or is invalid

strangely enough, when I do a manual aws sso login to the profile it works. Investigating a bit further brought me to the ~/.aws/sso/cache folder where a cached variant of the credentials is placed when I log in via aws sso login.

This seems to be hardwired into the ssm-session-manager plugin.

I know this might be a security issue and one might not want this, but is there a way to 'trick' granted into updating this cache?

Cheers, Jan

[jextrevor]

I've been having the same issue when working with the AWS Ruby SDK. When I use assume by itself and then try to create e.g. a new STS client with Aws::STS::Client.new, it complains about an outdated token.

I can fix the issue by either unsetting AWS_PROFILE, which gets the Ruby SDK to use the AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY/AWS_SESSION_TOKEN directly, or by running aws sso login.

In fact, in my case, it seems easier to just use aws sso login and set AWS_PROFILE directly.