aws-sso-cli icon indicating copy to clipboard operation
aws-sso-cli copied to clipboard
verified publisher icon synfinatic

ARM Fedora 42 will ERROR unable to save CreateTokenResponse error="Object does not exist at path “/”", restart fixes until sleep

Open davidjeddy opened this issue 4 months ago • 6 comments

Output of aws-sso version:

aws-sso version
AWS SSO CLI Version 2.0.3 -- Copyright 2021-2025 Aaron Turner
5c1f920359c675b7ac7e7efb2b7459553207287e (v2.0.3) built at 2025-05-29T15:11:31+0000

Describe the bug:

Running aws-sso login prompts for keyring authentication, then completes authentication via the browser successfully. Returning to the terminal a error message is presented

To Reproduce:

aws-sso login
# auth keyring
# complete process
# see error response in terminal

Expected behavior: Ability to execute aws-sso exec successfully after authorizing

Screenshots: If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: Fedora 42 via UTM (using QEMU 9.x) on MacBook Pro M3 host

Additional context:

Here is the output when using trace log level.

$ aws-sso login --lines --level=trace --config=~/.config/aws-sso/config.yaml
WARN  storage/keyring.go:222 unable to load keyring data error="The specified item could not be found in the keyring"
DEBUG sso/awssso.go:94 loading SSO retries=10 maxBackoff=5
DEBUG sso/awssso_auth.go:49 no CreateTokenResponse for token-response:Default
TRACE sso/awssso_auth.go:73 Authenticate urlAction=open browser=""
TRACE sso/awssso_auth.go:96 reauthenticate() storeKey=Default
TRACE sso/awssso_auth.go:152 registerClient()
TRACE sso/awssso_auth.go:154 Checking cache for RegisterClientData storeKey=Default
TRACE sso/awssso_auth.go:169 Registering new client with AWS SSO ClientName=aws-sso-cli ClientType=public
TRACE sso/awssso_auth.go:174 Registered new client with AWS SSO ClientId=REDACTED ClientSecretExpiresAt=1764502339
TRACE sso/awssso_auth.go:184 SaveRegisterClientData start storeKey=Default
ERROR sso/awssso_auth.go:187 unable to save RegisterClientData storeKey=Default error="Object does not exist at path “/”"
TRACE sso/awssso_auth.go:189 SaveRegisterClientData complete storeKey=Default
TRACE sso/awssso_auth.go:101 <- reauthenticate()
TRACE sso/awssso_auth.go:196 startDeviceAuthorization() storeKey=Default
DEBUG sso/awssso_auth.go:215 Created OIDC device code storeKey=Default expires=600

	Verify this code in your browser: FZVF-GJXX
TRACE sso/awssso_auth.go:104 <- reauthenticate()
TRACE sso/awssso_auth.go:230 getDeviceAuthInfo()
TRACE sso/awssso_auth.go:117 <- reauthenticate()
INFO  url/url.go:247 Opening URL browser="default browser"
INFO  sso/awssso_auth.go:129 Waiting for SSO authentication...
TRACE sso/awssso_auth.go:246 createToken()
ERROR sso/awssso_auth.go:300 unable to save CreateTokenResponse error="Object does not exist at path “/”"

Contents of your config (~/.aws-sso/config.yaml or ~/.config/aws-sso/config.yaml):

SSOConfig:
    Default:
        SSORegion: eu-west-1
        StartUrl: https://d-936744760e.awsapps.com/start
        AuthUrlAction: open
DefaultSSO: Default
DefaultRegion: us-east-1
ConsoleDuration: 720
CacheRefresh: 168
Threads: 5
MaxBackoff: 5
MaxRetry: 10
UrlAction: open
ConfigProfilesUrlAction: open
LogLevel: error
HistoryLimit: 10
HistoryMinutes: 1440
ProfileFormat: "{{ FirstItem .AccountName (.AccountAlias | nospace) }}:{{ .RoleName }}"
AccountPrimaryTag:
    - AccountName
    - AccountAlias
    - Email
PromptColors:
    descriptionbgcolor: Turquoise
    descriptiontextcolor: Black
    inputbgcolor: DefaultColor
    inputtextcolor: DefaultColor
    prefixbackgroundcolor: DefaultColor
    prefixtextcolor: Blue
    previewsuggestionbgcolor: DefaultColor
    previewsuggestiontextcolor: Green
    scrollbarbgcolor: Cyan
    scrollbarthumbcolor: LightGrey
    selecteddescriptionbgcolor: DarkGray
    selecteddescriptiontextcolor: White
    selectedsuggestionbgcolor: DarkGray
    selectedsuggestiontextcolor: White
    suggestionbgcolor: Cyan
    suggestiontextcolor: White
ListFields:
    - AccountIdPad
    - AccountAlias
    - RoleName
    - Profile
    - Expires
FullTextSearch: true

Did a restart of the instance and attempted aws-sso:

david@fedora:~/Projects$ aws-sso login --level=trace
WARN  unable to load keyring data error="The specified item could not be found in the keyring"
DEBUG loading SSO retries=10 maxBackoff=5
DEBUG no CreateTokenResponse for token-response:Default
TRACE Authenticate urlAction=open browser=""
TRACE reauthenticate() storeKey=Default
TRACE registerClient()
TRACE Checking cache for RegisterClientData storeKey=Default
TRACE Registering new client with AWS SSO ClientName=aws-sso-cli ClientType=public
TRACE Registered new client with AWS SSO ClientId=REDACTED ClientSecretExpiresAt=1764242235
TRACE SaveRegisterClientData start storeKey=Default
TRACE SaveRegisterClientData complete storeKey=Default
TRACE <- reauthenticate()
TRACE startDeviceAuthorization() storeKey=Default
DEBUG Created OIDC device code storeKey=Default expires=600

	Verify this code in your browser: VQQD-GJJH
TRACE <- reauthenticate()
TRACE getDeviceAuthInfo()
TRACE <- reauthenticate()
INFO  Opening URL browser="default browser"
INFO  Waiting for SSO authentication...
TRACE createToken()
david@fedora:~/Projects$ aws-sso login exec
> david@fedora:~/Projects$ aws-sso exec
Use <Up/Down Arrow> to highlight key/value and then <Space> to select.
Type `exit` or `Ctrl-D` to abort.
> AccountAlias worldline-gc-cicd-build-prod arn:aws:iam::891377244928:role/developerAdmin 
david@fedora:~/Projects$ aws s3 ls
2024-05-19 22:02:43 aws-waf-logs-prd-toolbox-waf-logging-m590
2025-07-03 12:43:56 i2reports-prod-ap-south-1
2024-03-07 08:27:59 i2reports-prod-eu-west-1
2024-05-20 15:44:49 jenkins-conf...

davidjeddy avatar Aug 29 '25 11:08 davidjeddy

not seeing a prompt for a password as expected for the file store. can you add SecureStore: file to your config.yaml file and see if that fixes it? fwiw, other options: https://synfinatic.github.io/aws-sso-cli/latest/config/#securestore-jsonstore

synfinatic avatar Sep 03 '25 16:09 synfinatic

That would be the corrective action! Thank you @synfinatic .

david@fedora:~/$ aws-sso login
ERROR unable to save RegisterClientData storeKey=Default error="Object does not exist at path “/”"

	Verify this code in your browser: [[REDACTED]]
ERROR unable to save CreateTokenResponse error="Object does not exist at path “/”"
david@fedora:~/$ vi ~/.config/aws-sso/
cache.json    config.yaml   storage.lock  
david@fedora:~/$ vi ~/.config/aws-sso/config.yaml 
david@fedora:~/$ cat ~/.config/aws-sso/config.yaml 
SSOConfig:
    Default:
        SSORegion: eu-west-1
        StartUrl: [[REDACTED]]
ConsoleDuration: 720
CacheRefresh: 168
UrlAction: open
LogLevel: error
HistoryLimit: 10
HistoryMinutes: 1440
ProfileFormat: "{{ FirstItem .AccountName (.AccountAlias | nospace) }}:{{ .RoleName }}"
FullTextSearch: true
SecureStore: file
david@fedora:~/$ aws-sso login
Select password: 
Verify password: 

	Verify this code in your browser: [[REDACTED]]
david@fedora:~/$ aws-sso exec
Enter passphrase to unlock "/home/david/.config/aws-sso/secure": 
Use <Up/Down Arrow> to highlight key/value and then <Space> to select.
Type `exit` or `Ctrl-D` to abort.
> AccountAlias worldline-gc-cicd-build-dev arn:aws:iam::730335529266:role/developerAdmin 
david@fedora:~/$ aws s3 ls
2025-07-17 13:19:02 aws-waf-logs-dev-...
...-dev-terraform-state-eu-west-1

For my own understanding what causes this situation s that I can share with the team on this side.

davidjeddy avatar Sep 05 '25 07:09 davidjeddy

I'm honestly quite curious myself! Linux should be auto detected and default to SecureStore: file without having to be told, and yet here we are. I'm going to have to look into this further and see if I can find the solution. I'm going to keep this bug open and may have some code for you to test in the future if you're willing.

Can you provide more information about the hardware/etc? Is this running in a VM for example on Apple Silicon for example? Or perhaps an Amazon Graviton or ???

synfinatic avatar Sep 05 '25 14:09 synfinatic

Sorry for the delayed response. Here is the host config:

Physical (AARCH64):

  • MacBook Pro Mac15,6 (M3 Pro)
  • UTM 4.6.5 (108)

Runtime (AMD64):

Fedora release 42 (Adams)
NAME="Fedora Linux"
VERSION="42 (Workstation Edition)"
RELEASE_TYPE=stable
ID=fedora
VERSION_ID=42
VERSION_CODENAME=""
PLATFORM_ID="platform:f42"
PRETTY_NAME="Fedora Linux 42 (Workstation Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:42"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f42/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=42
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=42
SUPPORT_END=2026-05-13
VARIANT="Workstation Edition"
VARIANT_ID=workstation
Fedora release 42 (Adams)
Fedora release 42 (Adams)

davidjeddy avatar Sep 16 '25 09:09 davidjeddy

@davidjeddy Just to be clear: you're running Ubuntu under qemu because your mac is apple silicon and you've picked an x86 runtime???

synfinatic avatar Sep 17 '25 14:09 synfinatic

Almost: Fedora(x86) under QEMU via UTM on Apple Silicone M3 (arm64). Most our environment is x86 so I want my workspace to be as aligned as possible.

davidjeddy avatar Oct 07 '25 09:10 davidjeddy