serverless-better-credentials icon indicating copy to clipboard operation
serverless-better-credentials copied to clipboard

Published 20 hours ago verified publisher icon thomasmichaelwallace

Unhelpful error when SSO session has expired

Open villelahdenvuo opened this issue 2 years ago • 5 comments

Describe the bug It was working fine, but suddenly I got an error saying: CredentialsError: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1

To Reproduce Steps to reproduce the behavior:

  1. Login via AWS SSO
  2. Run a serverless command
  3. All works
  4. Wait for session to expire
  5. Run a serverless command
  6. See the error

Expected behavior A warning should be displayed and a new session could be started automatically

Screenshots

➜  ses-forwarder git:(develop) ✗ AWS_SDK_LOAD_CONFIG=1 npx sls deploy

Deploying ses-forwarder to stage prod (eu-west-1)

Error:
CredentialsError: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1
    at ProcessCredentials.load (.../mygrano-serverless/node_modules/aws-sdk/lib/credentials/process_credentials.js:80:11)

Desktop (please complete the following information):

  • OS: MacOS 12.6
  • Version 1.1.3
  • Serverless Version Framework Core: 3.22.0 (local) Plugin: 6.2.2 SDK: 4.3.2

Additional context After refreshing the CLI session manually it works again.

villelahdenvuo avatar Oct 13 '22 08:10 villelahdenvuo

Interesting - that error's actually originating from the aws-sdk itself, rather than the plugin.

Do you mind sharing your ~/.aws/config file (redacting any numbers/keys/role-names 😄) as it looks like you're using a custom credential_process approach to supporting SSO, rather than the built-in SSO support provided by this plugin.

If that's the case, it may be that the Process Credentials response is relying on credentials cached by the aws-cli, rather than rotating them itself.

thomasmichaelwallace avatar Oct 15 '22 09:10 thomasmichaelwallace

@thomasmichaelwallace Actually we just use the normal AWS SSO setup e.g.

[profile shared-developer]
sso_account_id = XXXXXXXXXXX
sso_role_name = FoobarAccess
sso_start_url = https://company-portal.awsapps.com/start/
sso_region = eu-west-1
region = eu-west-1
output = json

And I have defined AWS_PROFILE=shared-developer

I don't know why the SDK throws that error if the session is expired, perhaps I need to open a bug on the SDK itself.

villelahdenvuo avatar Oct 15 '22 14:10 villelahdenvuo

@villelahdenvuo try adding

https://github.com/benkehoe/aws-sso-util

as a credential_process helper.

So for your example

~/.aws/config

credential_process = aws-sso-util credential-process --profile shared-developer

herebebogans avatar Sep 14 '23 04:09 herebebogans

@herebebogans That should not be necessary, it's the whole point of this plugin.

villelahdenvuo avatar Sep 15 '23 11:09 villelahdenvuo

https://stackoverflow.com/a/59314284/4316850

is it to do with the + and / signs?

I'm getting The security token included in the request is invalid (Service: AmazonIdentityManagement; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: 67ab759b-9995-4b27-8d31-00ab6e1e831d; Proxy: null)

adminy avatar Jan 10 '24 20:01 adminy