Skip to content

InvalidGrantException while attempting to refreshing credentials #7692

Closed
Closed
InvalidGrantException while attempting to refreshing credentials#7692
Assignees
aBurmeseDev
Labels
closed-for-stalenesssso
@abstractalchemist

Description

@abstractalchemist
abstractalchemist
opened on Feb 22, 2023

Describe the bug

I'm not sure if this is intended behavior or a bug. I started with

aws sso login --profile profile-name

My session duration in AWS IAM Identity Center is set to the default 8 hour. The login session, as far as I know, expires an hour after initial login. I am attempting a role-chaining configuration from a role using AWS IAM Identity Center. My configuration looks likes this

[sso-session devcloud-sso]
sso_start_url = <redacted>
sso_region = us-gov-west-1
sso_registration_scopes = sso:account:access

[profile ai-dev-sso]
source_profile = devcloud-ai-access
role_session_name=<redacted>
role_arn=<redacted>
region = us-gov-west-1

[profile devcloud-ai-access]
sso_account_id = <redacted>
sso_role_name = <redacted>
region = us-gov-west-1
output = yaml
duration_seconds = 28800
sso_session = devcloud-sso

After an hour, the temporary credentials from assuming the role defined in ai-dev-sso expires ( as expected because of role chaining ), but the cli fails to refresh my login credentials with an error

botocore.exceptions.TokenRetrievalError: Error when retrieving token from sso: Token has expired and refresh failed

Looking at the debug output, there's an error that I don't think is supposed be there

2023-02-21 19:59:33,573 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=CreateToken) with params: {'url_path': '/token', 'query_string': {}, 'method': 'POST', 'headers': {'Content-Type': 'application/json', 'User-Agent': 'aws-cli/2.10.1 Python/3.9.2 Linux/5.15.79.1-microsoft-standard-WSL2 source/x86_64.debian.11 prompt/off command/sts.get-caller-identity'}, 'body': b'{"grantType": "refresh_token", "clientId": "dqGwQKBvVnKH_FrBOYL2P3VzLWdvdi13ZXN0LTE", "clientSecret": <redacted>, "refreshToken": <redacted>}', 'url': 'https://oidc.us-gov-west-1.amazonaws.com/token', 'context': {'client_region': 'us-gov-west-1', 'client_config': <botocore.config.Config object at 0x7f47e2aa16d0>, 'has_streaming_input': False, 'auth_type': 'none'}}

2023-02-21 19:59:33,574 - MainThread - botocore.hooks - DEBUG - Event request-created.sso-oidc.CreateToken: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7f47e2aa16a0>>

2023-02-21 19:59:33,574 - MainThread - botocore.hooks - DEBUG - Event choose-signer.sso-oidc.CreateToken: calling handler <function set_operation_specific_signer at 0x7f47e4fd68b0>

2023-02-21 19:59:33,574 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://oidc.us-gov-west-1.amazonaws.com/token, headers={'Content-Type': b'application/json', 'User-Agent': b'aws-cli/2.10.1 Python/3.9.2 Linux/5.15.79.1-microsoft-standard-WSL2 source/x86_64.debian.11 prompt/off command/sts.get-caller-identity', 'Content-Length': '2172'}>

2023-02-21 19:59:33,574 - MainThread - botocore.httpsession - DEBUG - Certificate path: <redacted>

2023-02-21 19:59:33,574 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): oidc.us-gov-west-1.amazonaws.com:443

2023-02-21 19:59:34,054 - MainThread - urllib3.connectionpool - DEBUG - https://oidc.us-gov-west-1.amazonaws.com:443 "POST /token HTTP/1.1" 400 70

2023-02-21 19:59:34,054 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Wed, 22 Feb 2023 05:59:34 GMT', 'Content-Type': 'application/json', 'Content-Length': '70', 'Connection': 'keep-alive', 'x-amzn-RequestId': '0acde3d1-b0d6-47ff-bfc4-43c5e58df410', 'x-amzn-ErrorType': 'InvalidGrantException:http://internal.amazon.com/coral/com.amazonaws.sso.oidc/'}

2023-02-21 19:59:34,054 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"error":"invalid_grant","error_description":"Invalid grant provided"}'

Expected Behavior

Based on the IAM Identity Center documentation, I believe that the refresh token is supposed to last 8 hours. So I should be able to refresh my access token within 8 hours of login ( which I've verified ).

Current Behavior

The above error

Error when retrieving token from sso: Token has expired and refresh failed

Reproduction Steps

I used a bash script to run

while [ 1 ]; do aws sts get-caller-identity --profile ai-dev-sso; date -u -Ins; sleep 5m ; done

and observed the behavior over the duration.

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.10.1 Python/3.9.2 Linux/5.15.79.1-microsoft-standard-WSL2 source/x86_64.debian.11 prompt/off

Environment details (OS name and version, etc.)

WSL 2

Metadata

Metadata

Assignees

Labels

closed-for-stalenesssso

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions