Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'NoneType' object has no attribute 'get_frozen_token' when using new SSO session configuration #7496

Closed
zvickery opened this issue Dec 3, 2022 · 10 comments · Fixed by boto/botocore#2851
Closed

'NoneType' object has no attribute 'get_frozen_token' when using new SSO session configuration #7496

zvickery opened this issue Dec 3, 2022 · 10 comments · Fixed by boto/botocore#2851
Assignees
@aBurmeseDev
Labels
bug This issue is a bug. iam

Comments

@zvickery
Copy link

zvickery commented Dec 3, 2022

Describe the bug

I am attempting to use the new SSO session configuration in conjunction with CLI profiles that are IAM roles. If I do this, I get the below error when running any AWS command:

% cat ~/.aws/config
[default]
sso_account_id = XXXXXXXXXXX
sso_role_name = SomePermisionSet
region = us-east-1
sso_start_url = https://d-XXXXXXXXXX.awsapps.com/start
sso_region = us-east-1
sso_session = testing
[sso-session testing]
sso_start_url = https://d-XXXXXXXXXX.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access

% aws s3 ls --profile role-access

'NoneType' object has no attribute 'get_frozen_token'

Expected Behavior

The AWS CLI works as expected with the "legacy" SSO configuration format (no sessions):

% cat ~/.aws/config
[default]
sso_account_id = XXXXXXXXXXX
sso_role_name = SomePermisionSet
region = us-east-1
sso_start_url = https://d-XXXXXXXXXX.awsapps.com/start
sso_region = us-east-1

% aws s3 ls --profile role-access
<EXPECTED_OUTPUT>

Current Behavior

Here is debug logging from running this. Note that the role configuration looks like below:

[role-access]
role_arn = arn:aws:iam::XXXXXXXXXXX:role/role-access
source_profile = default
role_session_name = mysession

CLI debug logs:

% aws s3 ls --profile role-access --debug
2022-12-02 17:50:57,938 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.9.3 Python/3.11.0 Darwin/21.6.0 source/arm64
2022-12-02 17:50:57,938 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['s3', 'ls', '--profile', 'role-access', '--debug']
2022-12-02 17:50:57,948 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_s3 at 0x10766f4c0>
2022-12-02 17:50:57,948 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_ddb at 0x1071ff420>
2022-12-02 17:50:57,948 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.configure.configure.ConfigureCommand'>>
2022-12-02 17:50:57,948 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x1071802c0>
2022-12-02 17:50:57,948 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x107181940>
2022-12-02 17:50:57,948 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function alias_opsworks_cm at 0x107682fc0>
2022-12-02 17:50:57,948 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_history_commands at 0x107246ca0>
2022-12-02 17:50:57,948 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.devcommands.CLIDevCommand'>>
2022-12-02 17:50:57,948 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_waiters at 0x107681f80>
2022-12-02 17:50:57,948 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x107734390>>
2022-12-02 17:50:57,948 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/data/cli.json
2022-12-02 17:50:57,949 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_types at 0x1075aad40>
2022-12-02 17:50:57,949 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function no_sign_request at 0x1075ab060>
2022-12-02 17:50:57,949 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_verify_ssl at 0x1075aafc0>
2022-12-02 17:50:57,949 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_read_timeout at 0x1075ab1a0>
2022-12-02 17:50:57,949 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_connect_timeout at 0x1075ab100>
2022-12-02 17:50:57,949 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <built-in method update of dict object at 0x10772d640>
2022-12-02 17:50:57,949 - MainThread - botocore.session - DEBUG - Setting config variable for profile to 'role-access'
2022-12-02 17:50:57,949 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.9.3 Python/3.11.0 Darwin/21.6.0 source/arm64 prompt/off
2022-12-02 17:50:57,949 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['s3', 'ls', '--profile', 'role-access', '--debug']
2022-12-02 17:50:57,949 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x1076800e0>
2022-12-02 17:50:57,949 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x106ee49a0>
2022-12-02 17:50:57,949 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x1076fc720>
2022-12-02 17:50:57,949 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x106ecd080>
2022-12-02 17:50:57,949 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x106f2aa20>
2022-12-02 17:50:57,950 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2022-12-02 17:50:57,953 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set.
2022-12-02 17:50:57,953 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x107246480>
2022-12-02 17:50:57,953 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x1071e7560>
2022-12-02 17:50:57,953 - MainThread - botocore.hooks - DEBUG - Event building-command-table.s3: calling handler <function add_waiters at 0x107681f80>
2022-12-02 17:50:57,953 - MainThread - botocore.hooks - DEBUG - Event building-command-table.s3: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x107734390>>
2022-12-02 17:50:57,953 - MainThread - botocore.hooks - DEBUG - Event building-command-table.s3_ls: calling handler <function add_waiters at 0x107681f80>
2022-12-02 17:50:57,953 - MainThread - botocore.hooks - DEBUG - Event building-command-table.s3_ls: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x107734390>>
2022-12-02 17:50:57,954 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.paths: calling handler <awscli.paramfile.URIArgumentHandler object at 0x107763050>
2022-12-02 17:50:57,954 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.anonymous: calling handler <awscli.paramfile.URIArgumentHandler object at 0x107763050>
2022-12-02 17:50:57,954 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.page-size: calling handler <awscli.paramfile.URIArgumentHandler object at 0x107763050>
2022-12-02 17:50:57,954 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.human-readable: calling handler <awscli.paramfile.URIArgumentHandler object at 0x107763050>
2022-12-02 17:50:57,954 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.ls: calling handler <awscli.argprocess.ParamShorthandParser object at 0x106ee9a50>
2022-12-02 17:50:57,954 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.summarize: calling handler <awscli.paramfile.URIArgumentHandler object at 0x107763050>
2022-12-02 17:50:57,954 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.ls: calling handler <awscli.argprocess.ParamShorthandParser object at 0x106ee9a50>
2022-12-02 17:50:57,954 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.request-payer: calling handler <awscli.paramfile.URIArgumentHandler object at 0x107763050>
2022-12-02 17:50:57,954 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2022-12-02 17:50:57,955 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTP connection (1): 169.254.169.254:80
2022-12-02 17:50:58,956 - MainThread - botocore.utils - DEBUG - Caught retryable HTTP exception while making metadata service request to http://169.254.169.254/latest/api/token: Connect timeout on endpoint URL: "http://169.254.169.254/latest/api/token"
Traceback (most recent call last):
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/connection.py", line 174, in _new_conn
    conn = connection.create_connection(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/util/connection.py", line 95, in create_connection
    raise err
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/util/connection.py", line 85, in create_connection
    sock.connect(sa)
TimeoutError: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/httpsession.py", line 448, in send
    urllib_response = conn.urlopen(
                      ^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/connectionpool.py", line 787, in urlopen
    retries = retries.increment(
              ^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/util/retry.py", line 525, in increment
    raise six.reraise(type(error), error, _stacktrace)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/packages/six.py", line 770, in reraise
    raise value
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
                       ^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/connectionpool.py", line 398, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/connection.py", line 239, in request
    super(HTTPConnection, self).request(method, url, body=body, headers=headers)
  File "/opt/homebrew/Cellar/python@3.11/3.11.0/Frameworks/Python.framework/Versions/3.11/lib/python3.11/http/client.py", line 1282, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/awsrequest.py", line 94, in _send_request
    rval = super(AWSConnection, self)._send_request(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/python@3.11/3.11.0/Frameworks/Python.framework/Versions/3.11/lib/python3.11/http/client.py", line 1328, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/opt/homebrew/Cellar/python@3.11/3.11.0/Frameworks/Python.framework/Versions/3.11/lib/python3.11/http/client.py", line 1277, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/awsrequest.py", line 122, in _send_output
    self.send(msg)
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/awsrequest.py", line 206, in send
    return super(AWSConnection, self).send(str)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/python@3.11/3.11.0/Frameworks/Python.framework/Versions/3.11/lib/python3.11/http/client.py", line 975, in send
    self.connect()
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/connection.py", line 205, in connect
    conn = self._new_conn()
           ^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/connection.py", line 179, in _new_conn
    raise ConnectTimeoutError(
urllib3.exceptions.ConnectTimeoutError: (<botocore.awsrequest.AWSHTTPConnection object at 0x107772b50>, 'Connection to 169.254.169.254 timed out. (connect timeout=1)')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/utils.py", line 383, in _fetch_metadata_token
    response = self._session.send(request.prepare())
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/httpsession.py", line 483, in send
    raise ConnectTimeoutError(endpoint_url=request.url, error=e)
botocore.exceptions.ConnectTimeoutError: Connect timeout on endpoint URL: "http://169.254.169.254/latest/api/token"
2022-12-02 17:50:58,963 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTP connection (2): 169.254.169.254:80
2022-12-02 17:50:59,966 - MainThread - botocore.utils - DEBUG - Caught retryable HTTP exception while making metadata service request to http://169.254.169.254/latest/meta-data/placement/availability-zone/: Connect timeout on endpoint URL: "http://169.254.169.254/latest/meta-data/placement/availability-zone/"
Traceback (most recent call last):
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/connection.py", line 174, in _new_conn
    conn = connection.create_connection(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/util/connection.py", line 95, in create_connection
    raise err
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/util/connection.py", line 85, in create_connection
    sock.connect(sa)
TimeoutError: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/httpsession.py", line 448, in send
    urllib_response = conn.urlopen(
                      ^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/connectionpool.py", line 787, in urlopen
    retries = retries.increment(
              ^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/util/retry.py", line 525, in increment
    raise six.reraise(type(error), error, _stacktrace)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/packages/six.py", line 770, in reraise
    raise value
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
                       ^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/connectionpool.py", line 398, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/connection.py", line 239, in request
    super(HTTPConnection, self).request(method, url, body=body, headers=headers)
  File "/opt/homebrew/Cellar/python@3.11/3.11.0/Frameworks/Python.framework/Versions/3.11/lib/python3.11/http/client.py", line 1282, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/awsrequest.py", line 94, in _send_request
    rval = super(AWSConnection, self)._send_request(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/python@3.11/3.11.0/Frameworks/Python.framework/Versions/3.11/lib/python3.11/http/client.py", line 1328, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/opt/homebrew/Cellar/python@3.11/3.11.0/Frameworks/Python.framework/Versions/3.11/lib/python3.11/http/client.py", line 1277, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/awsrequest.py", line 122, in _send_output
    self.send(msg)
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/awsrequest.py", line 206, in send
    return super(AWSConnection, self).send(str)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/python@3.11/3.11.0/Frameworks/Python.framework/Versions/3.11/lib/python3.11/http/client.py", line 975, in send
    self.connect()
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/connection.py", line 205, in connect
    conn = self._new_conn()
           ^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/urllib3/connection.py", line 179, in _new_conn
    raise ConnectTimeoutError(
urllib3.exceptions.ConnectTimeoutError: (<botocore.awsrequest.AWSHTTPConnection object at 0x107840550>, 'Connection to 169.254.169.254 timed out. (connect timeout=1)')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/utils.py", line 431, in _get_request
    response = self._session.send(request.prepare())
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/httpsession.py", line 483, in send
    raise ConnectTimeoutError(endpoint_url=request.url, error=e)
botocore.exceptions.ConnectTimeoutError: Connect timeout on endpoint URL: "http://169.254.169.254/latest/meta-data/placement/availability-zone/"
2022-12-02 17:50:59,969 - MainThread - awscli.utils - DEBUG - Max number of attempts exceeded (1) when attempting to retrieve data from metadata service.
2022-12-02 17:50:59,969 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2022-12-02 17:50:59,969 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2022-12-02 17:50:59,969 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2022-12-02 17:50:59,970 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/data/endpoints.json
2022-12-02 17:50:59,982 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x1061600e0>
2022-12-02 17:51:00,000 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/data/s3/2006-03-01/service-2.json
2022-12-02 17:51:00,018 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/data/s3/2006-03-01/endpoint-rule-set-1.json
2022-12-02 17:51:00,021 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/data/partitions.json
2022-12-02 17:51:00,022 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_post at 0x10609b740>
2022-12-02 17:51:00,022 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_url at 0x10609b4c0>
2022-12-02 17:51:00,023 - MainThread - botocore.endpoint - DEBUG - Setting s3 timeout as (60, 60)
2022-12-02 17:51:00,024 - MainThread - botocore.utils - DEBUG - Registering S3 region redirector handler
2022-12-02 17:51:00,025 - MainThread - botocore.hooks - DEBUG - Event before-endpoint-resolution.s3: calling handler <function customize_endpoint_resolver_builtins at 0x106180900>
2022-12-02 17:51:00,025 - MainThread - botocore.hooks - DEBUG - Event before-endpoint-resolution.s3: calling handler <bound method S3RegionRedirectorv2.redirect_from_cache of <botocore.utils.S3RegionRedirectorv2 object at 0x107ebce90>>
2022-12-02 17:51:00,025 - MainThread - botocore.regions - DEBUG - Calling endpoint provider with parameters: {'Region': 'aws-global', 'UseFIPS': False, 'UseDualStack': False, 'ForcePathStyle': False, 'Accelerate': False, 'UseGlobalEndpoint': False, 'DisableMultiRegionAccessPoints': False, 'UseArnRegion': True}
2022-12-02 17:51:00,025 - MainThread - botocore.regions - DEBUG - Endpoint provider result: https://s3.amazonaws.com
2022-12-02 17:51:00,025 - MainThread - botocore.regions - DEBUG - Selecting from endpoint provider's list of auth schemes: "sigv4". User selected auth scheme is: "None"
2022-12-02 17:51:00,025 - MainThread - botocore.regions - DEBUG - Selected auth type "v4" as "v4" with signing context params: {'region': 'us-east-1', 'signing_name': 's3', 'disableDoubleEncoding': True}
2022-12-02 17:51:00,025 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.s3.ListBuckets: calling handler <function base64_decode_input_blobs at 0x1076fc7c0>
2022-12-02 17:51:00,025 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.ListBuckets: calling handler <function validate_bucket_name at 0x106162660>
2022-12-02 17:51:00,025 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.ListBuckets: calling handler <function remove_bucket_from_url_paths_from_model at 0x106180720>
2022-12-02 17:51:00,025 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.ListBuckets: calling handler <bound method S3RegionRedirectorv2.annotate_request_context of <botocore.utils.S3RegionRedirectorv2 object at 0x107ebce90>>
2022-12-02 17:51:00,025 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.ListBuckets: calling handler <function generate_idempotent_uuid at 0x106162480>
2022-12-02 17:51:00,025 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.ListBuckets: calling handler <function add_expect_header at 0x106162a20>
2022-12-02 17:51:00,025 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.ListBuckets: calling handler <function inject_api_version_header_if_needed at 0x106163f60>
2022-12-02 17:51:00,025 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=ListBuckets) with params: {'url_path': '/', 'query_string': '', 'method': 'GET', 'headers': {'User-Agent': 'aws-cli/2.9.3 Python/3.11.0 Darwin/21.6.0 source/arm64 prompt/off command/s3.ls'}, 'body': b'', 'url': 'https://s3.amazonaws.com/', 'context': {'client_region': 'aws-global', 'client_config': <botocore.config.Config object at 0x107ebca50>, 'has_streaming_input': False, 'auth_type': 'v4', 'signing': {'region': 'us-east-1', 'signing_name': 's3', 'disableDoubleEncoding': True}, 's3_redirect': {'redirected': False, 'bucket': None, 'params': {}}}}
2022-12-02 17:51:00,025 - MainThread - botocore.hooks - DEBUG - Event request-created.s3.ListBuckets: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x1070aee50>>
2022-12-02 17:51:00,025 - MainThread - botocore.hooks - DEBUG - Event choose-signer.s3.ListBuckets: calling handler <function set_operation_specific_signer at 0x106162340>
2022-12-02 17:51:00,025 - MainThread - botocore.hooks - DEBUG - Event before-sign.s3.ListBuckets: calling handler <function remove_arn_from_signing_path at 0x106180860>
2022-12-02 17:51:00,026 - MainThread - botocore.credentials - DEBUG - Credentials were found in cache, but they are expired.
2022-12-02 17:51:00,026 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x1061600e0>
2022-12-02 17:51:00,026 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/data/sso/2019-06-10/service-2.json
2022-12-02 17:51:00,026 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/data/sso/2019-06-10/endpoint-rule-set-1.json
2022-12-02 17:51:00,026 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.sso: calling handler <function add_generate_presigned_url at 0x10609b4c0>
2022-12-02 17:51:00,028 - MainThread - botocore.endpoint - DEBUG - Setting portal.sso timeout as (60, 60)
2022-12-02 17:51:00,028 - MainThread - botocore.credentials - WARNING - Refreshing temporary credentials failed during mandatory refresh period.
Traceback (most recent call last):
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 492, in _protected_refresh
    metadata = self._refresh_using()
               ^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 633, in fetch_credentials
    return self._get_cached_credentials()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 643, in _get_cached_credentials
    response = self._get_credentials()
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 2008, in _get_credentials
    token = initial_token_data.get_frozen_token().token
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'get_frozen_token'
2022-12-02 17:51:00,030 - MainThread - botocore.credentials - WARNING - Refreshing temporary credentials failed during mandatory refresh period.
Traceback (most recent call last):
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 492, in _protected_refresh
    metadata = self._refresh_using()
               ^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 633, in fetch_credentials
    return self._get_cached_credentials()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 643, in _get_cached_credentials
    response = self._get_credentials()
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 775, in _get_credentials
    client = self._create_client()
             ^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 798, in _create_client
    frozen_credentials = self._source_credentials.get_frozen_credentials()
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 581, in get_frozen_credentials
    self._refresh()
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 476, in _refresh
    self._protected_refresh(is_mandatory=is_mandatory_refresh)
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 492, in _protected_refresh
    metadata = self._refresh_using()
               ^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 633, in fetch_credentials
    return self._get_cached_credentials()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 643, in _get_cached_credentials
    response = self._get_credentials()
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 2008, in _get_credentials
    token = initial_token_data.get_frozen_token().token
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'get_frozen_token'
2022-12-02 17:51:00,030 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/clidriver.py", line 460, in main
    return command_table[parsed_args.command](remaining, parsed_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/customizations/commands.py", line 151, in __call__
    return self._subcommand_table[subcommand_name](
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/customizations/commands.py", line 205, in __call__
    rc = self._run_main(parsed_args, parsed_globals)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/customizations/s3/subcommands.py", line 505, in _run_main
    self._list_all_buckets()
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/customizations/s3/subcommands.py", line 570, in _list_all_buckets
    response_data = self.client.list_buckets()
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/client.py", line 341, in _api_call
    return self._make_api_call(operation_name, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/client.py", line 683, in _make_api_call
    http, parsed_response = self._make_request(
                            ^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/client.py", line 703, in _make_request
    return self._endpoint.make_request(operation_model, request_dict)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/endpoint.py", line 101, in make_request
    return self._send_request(request_dict, operation_model)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/endpoint.py", line 131, in _send_request
    request = self.create_request(request_dict, operation_model)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/endpoint.py", line 114, in create_request
    self._event_emitter.emit(event_name, request=request,
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/hooks.py", line 228, in emit
    return self._emit(event_name, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/hooks.py", line 211, in _emit
    response = handler(**kwargs)
               ^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/signers.py", line 94, in handler
    return self.sign(operation_name, request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/signers.py", line 158, in sign
    auth = self.get_auth_instance(**kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/signers.py", line 253, in get_auth_instance
    frozen_credentials = self._credentials.get_frozen_credentials()
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 581, in get_frozen_credentials
    self._refresh()
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 476, in _refresh
    self._protected_refresh(is_mandatory=is_mandatory_refresh)
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 492, in _protected_refresh
    metadata = self._refresh_using()
               ^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 633, in fetch_credentials
    return self._get_cached_credentials()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 643, in _get_cached_credentials
    response = self._get_credentials()
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 775, in _get_credentials
    client = self._create_client()
             ^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 798, in _create_client
    frozen_credentials = self._source_credentials.get_frozen_credentials()
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 581, in get_frozen_credentials
    self._refresh()
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 476, in _refresh
    self._protected_refresh(is_mandatory=is_mandatory_refresh)
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 492, in _protected_refresh
    metadata = self._refresh_using()
               ^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 633, in fetch_credentials
    return self._get_cached_credentials()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 643, in _get_cached_credentials
    response = self._get_credentials()
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/awscli/2.9.3/libexec/lib/python3.11/site-packages/awscli/botocore/credentials.py", line 2008, in _get_credentials
    token = initial_token_data.get_frozen_token().token
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'get_frozen_token'

'NoneType' object has no attribute 'get_frozen_token'

Reproduction Steps

Any AWS CLI command should work to repro. The key is having the "session-ized" SSO configuration from above:

% cat ~/.aws/config
[default]
sso_account_id = XXXXXXXXXXX
sso_role_name = SomePermisionSet
region = us-east-1
sso_start_url = https://d-XXXXXXXXXX.awsapps.com/start
sso_region = us-east-1
sso_session = testing
[sso-session testing]
sso_start_url = https://d-XXXXXXXXXX.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access

Possible Solution

I suspect the logic just needs to be session-aware?

Additional Information/Context

No response

CLI version used

CLI version: aws-cli/2.9.3 Python/3.11.0 Darwin/21.6.0 source/arm64

Environment details (OS name and version, etc.)

MacOS 12.6.1, awscli installed with brew. arm64 architecture
@zvickery zvickery added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 3, 2022
@zvickery zvickery mentioned this issue Dec 3, 2022
Closed
@aBurmeseDev aBurmeseDev self-assigned this Dec 5, 2022
@aBurmeseDev aBurmeseDev added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Dec 5, 2022
@aBurmeseDev
Copy link
Member

Hi @zvickery - thanks for reaching out.

I attempted to replicate the error on the same CLI version but wasn't able to reproduce the same behavior. Could you confirm that you've already run aws sso login --profile <yourProfile> to retrieve and cache a set of temporary credentials? I would highly recommend this user guide as far as configuring a user profile to running a command with your IAM enabled profile.

Please let me know if issue persists.
Best,
John

@aBurmeseDev aBurmeseDev added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. iam and removed bug This issue is a bug. investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Dec 6, 2022
@zvickery
Copy link
Author

zvickery commented Dec 6, 2022

Oh interesting. It does work if I do aws configure sso --profile role-access and setup a new AWS SSO profile for that particular CLI profile. However I have a bunch of CLI profiles in ~/.aws/credentials that look similar to below:

[role-access]
role_arn = arn:aws:iam::XXXXXXXXXXX:role/role-access
source_profile = default
role_session_name = mysession

With the new SSO profiles in use the source_profile in the CLI profile is not respected. Thus I have to configure every CLI profile for SSO and refresh credentials as needed. Which is much more onerous and not required with the legacy SSO configuration.

In my opinion, aws s3 ls --profile role-access should use the default SSO credentials as specified in source_profile. The current behavior requires there to be a SSO profile named role-access which is not scalable for anyone using lots of assumable roles in this manner.

Hopefully that all makes sense - this is kind of gnarly!

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Dec 6, 2022
@byron70
Copy link

byron70 commented Dec 9, 2022
edited

I had this occur when I added a duplicate profile with access keys, and the existing profile was referencing a source_profile configured with sso.

#credentials
[cmp-dev-cicd]
source_profile=cmp-dev
role_arn=arn:aws:iam::123456789:role/dev-cicd
region=us-east-1

[cmp-dev-cicd]
aws_access_key_id=foo
aws_secret_access_key=bar
region=us-east-1

[cmp-dev]
sso_session=sso-zi
sso_account_id=123456789
sso_role_name=org-dev-cicd
region=us-east-1

#config 
[sso-session sso-zi]
sso_start_url=https://d-123456.awsapps.com/start
sso_region=us-east-1

@diego-santacruz
Copy link

I had this occur too when switching to the new sso session support, with AWS CLI 2.9.6.

The ~/.aws/config file is

[default]
sso_session = myorg
sso_account_id = xxxxxxxxxxxx
sso_role_name = AWSAdministratorAccess
region = eu-central-1
output = json

[sso-session myorg]
sso_start_url = https://myorg.awsapps.com/start
sso_region = eu-central-1
sso_registration_scopes = sso:account:access

[profile roleaccess]
role_arn = arn:aws:iam::yyyyyyyyyyyy:role/myrole
region = eu-central-1
source_profile = default

Then I do sso login on my default profile with aws sso login

I check access with aws sts get-caller-identity and it works, I get

{
    "UserId": "ZZZZZZZZZZZZZZZZZZZZZZ:John.Doe@myorg.com",
    "Account": "xxxxxxxxxxxx",
    "Arn": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/AWSReservedSSO_LongAdministratorAccess_aaaaaaaaaaaaaaaa/John.Doe@myorg.com"
}

Then I do that for the profile using the role with aws sts get-caller-identity --profile roleaccess and I get the same error as other users

'NoneType' object has no attribute 'get_frozen_token'

When using the older non-refreshable SSO token configuration, like below, it works without problem, using the same commands as above.

[default]
sso_start_url = https://myorg.awsapps.com/start
sso_region = eu-central-1
sso_account_id = xxxxxxxxxxxx
sso_role_name = AWSAdministratorAccess
region = eu-central-1
output = json

[profile roleaccess]
role_arn = arn:aws:iam::yyyyyyyyyyyy:role/myrole
region = eu-central-1
source_profile = default

@jaklan
Copy link

jaklan commented Dec 30, 2022

Exactly the same problem - the below configuration doesn't work when running aws sts get-caller-identity --profile assumed-role:

[profile sso-role]
sso_session = sso
sso_account_id = yyyyyyyyyyyy
sso_role_name = sso-role

[profile assumed-role]
role_arn = arn:aws:iam::yyyyyyyyyyyy:role/assumed-role
source_profile = sso-role

[sso-session sso]
sso_start_url = https://xxxxxxxxxxxx.awsapps.com/start
sso_region = eu-central-1
sso_registration_scopes = sso:account:access

due to the 'NoneType' object has no attribute 'get_frozen_token' error, but that one works:

[profile sso-role]
sso_start_url = https://xxxxxxxxxxxx.awsapps.com/start
sso_region = eu-central-1
sso_registration_scopes = sso:account:access
sso_account_id = yyyyyyyyyyyy
sso_role_name = sso-role

[profile assumed-role]
role_arn = arn:aws:iam::yyyyyyyyyyyy:role/assumed-role
source_profile = sso-role

@aBurmeseDev
Copy link
Member

Thank you all for reporting. We were able to reproduce this behavior and it's currently under investigation. I'm going to mark this as a bug and post updates as soon as we have them.

@aBurmeseDev aBurmeseDev added bug This issue is a bug. investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Jan 6, 2023
@hssyoo hssyoo mentioned this issue Jan 19, 2023
Merged
@aBurmeseDev aBurmeseDev removed the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Feb 2, 2023
@aBurmeseDev
Copy link
Member

Quick update here: our team member created this PR that fixes this issue and is now pending for review. I will check back in here once it's merged.

@tim-finnigan tim-finnigan mentioned this issue Feb 3, 2023
Closed
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

@hssyoo hssyoo mentioned this issue Feb 20, 2023
Merged
ian-noaa added a commit to NOAA-GSL/unified-graphics that referenced this issue Feb 22, 2023
@ian-noaa
Bump boto3 from 1.26.60 to 1.26.76 in /services/data (#181)
62d57f5 
Bumps [boto3](https://github.com/boto/boto3) from 1.26.60 to 1.26.76.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/boto/boto3/blob/develop/CHANGELOG.rst">boto3's
changelog</a>.</em></p>
<blockquote>
<h1>1.26.76</h1>
<ul>
<li>api-change:<code>quicksight</code>: [<code>botocore</code>] S3 data
sources now accept a custom IAM role.</li>
<li>api-change:<code>resiliencehub</code>: [<code>botocore</code>] In
this release we improved resilience hub application creation and
maintenance by introducing new resource and app component crud APIs,
improving visibility and maintenance of application input sources and
added support for additional information attributes to be provided by
customers.</li>
<li>api-change:<code>securityhub</code>: [<code>botocore</code>]
Documentation updates for AWS Security Hub</li>
<li>api-change:<code>tnb</code>: [<code>botocore</code>] This is the
initial SDK release for AWS Telco Network Builder (TNB). AWS Telco
Network Builder is a network automation service that helps you deploy
and manage telecom networks.</li>
</ul>
<h1>1.26.75</h1>
<ul>
<li>bugfix:SSO: [<code>botocore</code>] Fixes
aws/aws-cli<code>[#7496](https://github.com/boto/boto3/issues/7496)
&lt;https://github.com/aws/aws-cli/issues/7496&gt;</code>__ by using the
correct profile name rather than the one set in the session.</li>
<li>api-change:<code>auditmanager</code>: [<code>botocore</code>] This
release introduces a ServiceQuotaExceededException to the
UpdateAssessmentFrameworkShare API operation.</li>
<li>api-change:<code>connect</code>: [<code>botocore</code>] Reasons for
failed diff has been approved by SDK Reviewer</li>
</ul>
<h1>1.26.74</h1>
<ul>
<li>api-change:<code>apprunner</code>: [<code>botocore</code>] This
release supports removing MaxSize limit for
AutoScalingConfiguration.</li>
<li>api-change:<code>glue</code>: [<code>botocore</code>] Release of
Delta Lake Data Lake Format for Glue Studio Service</li>
</ul>
<h1>1.26.73</h1>
<ul>
<li>api-change:<code>emr</code>: [<code>botocore</code>] Update emr
client to latest version</li>
<li>api-change:<code>grafana</code>: [<code>botocore</code>] With this
release Amazon Managed Grafana now supports inbound Network Access
Control that helps you to restrict user access to your Grafana
workspaces</li>
<li>api-change:<code>ivs</code>: [<code>botocore</code>] Doc-only
update. Updated text description in DeleteChannel, Stream, and
StreamSummary.</li>
<li>api-change:<code>wafv2</code>: [<code>botocore</code>] Added a
notice for account takeover prevention (ATP). The interface incorrectly
lets you to configure ATP response inspection in regional web ACLs in
Region US East (N. Virginia), without returning an error. ATP response
inspection is only available in web ACLs that protect CloudFront
distributions.</li>
</ul>
<h1>1.26.72</h1>
<ul>
<li>api-change:<code>cloudtrail</code>: [<code>botocore</code>] This
release adds an InsufficientEncryptionPolicyException type to the
StartImport endpoint</li>
<li>api-change:<code>efs</code>: [<code>botocore</code>] Update efs
client to latest version</li>
<li>api-change:<code>frauddetector</code>: [<code>botocore</code>] This
release introduces Lists feature which allows customers to reference a
set of values in Fraud Detector's rules. With Lists, customers can
dynamically manage these attributes in real time. Lists can be
created/deleted and its contents can be modified using the Fraud
Detector API.</li>
<li>api-change:<code>glue</code>: [<code>botocore</code>] Fix
DirectJDBCSource not showing up in CLI code gen</li>
<li>api-change:<code>privatenetworks</code>: [<code>botocore</code>]
This release introduces a new StartNetworkResourceUpdate API, which
enables return/replacement of hardware from a NetworkSite.</li>
<li>api-change:<code>rds</code>: [<code>botocore</code>] Database
Activity Stream support for RDS for SQL Server.</li>
<li>api-change:<code>wafv2</code>: [<code>botocore</code>] For protected
CloudFront distributions, you can now use the AWS WAF Fraud Control
account takeover prevention (ATP) managed rule group to block new login
attempts from clients that have recently submitted too many failed login
attempts.</li>
</ul>
<h1>1.26.71</h1>
<ul>
<li>api-change:<code>appconfig</code>: [<code>botocore</code>] AWS
AppConfig now offers the option to set a version label on hosted
configuration versions. Version labels allow you to identify specific
hosted configuration versions based on an alternate versioning scheme
that you define.</li>
<li>api-change:<code>datasync</code>: [<code>botocore</code>] With this
launch, we are giving customers the ability to use older SMB protocol
versions, enabling them to use DataSync to copy data to and from their
legacy storage arrays.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/boto/boto3/commit/46e333480221abb6973cb62498ca9bc93c203994"><code>46e3334</code></a>
Merge branch 'release-1.26.76'</li>
<li><a
href="https://github.com/boto/boto3/commit/58a531f85c27dafa848e61007831f46e811077fd"><code>58a531f</code></a>
Bumping version to 1.26.76</li>
<li><a
href="https://github.com/boto/boto3/commit/d7c625a7218c7b284832c4eea70f2d3618157a85"><code>d7c625a</code></a>
Add changelog entries from botocore</li>
<li><a
href="https://github.com/boto/boto3/commit/591a99c7e8ba1df0d2ce72ce43116d770932f171"><code>591a99c</code></a>
Merge branch 'release-1.26.75'</li>
<li><a
href="https://github.com/boto/boto3/commit/0948e0a71fbd47f0e749cc3fd9cf557002f627d9"><code>0948e0a</code></a>
Merge branch 'release-1.26.75' into develop</li>
<li><a
href="https://github.com/boto/boto3/commit/f9d4196e6f96f1ce65b9b2a0e933923faa3cc8ee"><code>f9d4196</code></a>
Bumping version to 1.26.75</li>
<li><a
href="https://github.com/boto/boto3/commit/dcf1cada79743b28356f11b8c16ea27dc34ba645"><code>dcf1cad</code></a>
Add changelog entries from botocore</li>
<li><a
href="https://github.com/boto/boto3/commit/2f0af3bcc01baaa0d062d04c7262a05bb22c10a4"><code>2f0af3b</code></a>
Merge branch 'release-1.26.74'</li>
<li><a
href="https://github.com/boto/boto3/commit/df09e800f85c9041e18c50ad316170826fc27b82"><code>df09e80</code></a>
Merge branch 'release-1.26.74' into develop</li>
<li><a
href="https://github.com/boto/boto3/commit/ba3f55c27f2796b75b62f48e91cb774166b51f58"><code>ba3f55c</code></a>
Bumping version to 1.26.74</li>
<li>Additional commits viewable in <a
href="https://github.com/boto/boto3/compare/1.26.60...1.26.76">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=boto3&package-manager=pip&previous-version=1.26.60&new-version=1.26.76)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>
@krishansrimal
Copy link

Facing the same problem with aws-cli/2.9.15. I see the MR has been approved and merged?. Can someone update here what would the fixed CLI version for this issue?

@hssyoo
Copy link
Contributor

hssyoo commented Mar 22, 2023

Hi @krishansrimal, the commit with the relevant patch was introduced in version 2.10.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aBurmeseDev aBurmeseDev

Labels
bug This issue is a bug. iam
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Plumb profile_name into SSOTokenProvider hssyoo/botocore
7 participants
@zvickery @byron70 @diego-santacruz @krishansrimal @jaklan @aBurmeseDev @hssyoo