Mismatch in SSO cache filename

[ytanay]

Hey :)

We've recently set up SSO for our AWS account, and we're experiencing strange authentication errors when using Copilot.

Here's what I did:

1. Configured SSO (aws configure sso)
2. Logged in (aws sso login)
3. Tested a random AWS command works (aws s3 ls)
4. Run Copilot with the AWS_PROFILE environment variable (AWS_PROFILE=profile-name copilot svc ls)

Yields the following:

✘ default session: profile "profile-name" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

I played around with the (autogenerated) .aws/config file and copied these two fields from the sso-session section to the profile

This caused the following error:

$ AWS_PROFILE=profile-name copilot svc ls
✘ default session: SSOProviderInvalidToken: the SSO session has expired or is invalid
caused by: open /Users/ytanay/.aws/sso/cache/df4dac4174040164284293dac85799ba9e36d7a7.json: no such file or directory

Looking at .aws/sso/cache I see two files, and indeed neither has the filename used by Copilot. Renaming one of them to the one expected by Copilot works, so I'm guessing the new fields affect the hash used to lookup the tokens.

I think the latter error is not an interesting as the first (since according to the documentation those fields are not supposed to be placed under the profile section) - am I missing anything?

Thanks for the great tool!

[Lou1415926]

@ytanay Hello! It looks like you have onboarded with the new registration process (in which sso_start_url should be placed undersso-session ) while the underlying authentication process used by Copilot is still expecting the legacy process (in which sso_start_url is expected under "profile-name").

I found a write-up here to use legacy process.

Meanwhile, we will investigate if this is because aws-sdk-go hasn't onboarded the new SSO process, or if there is anything that Copilot needs to do outside of the aws-sdk-go!

[Lou1415926]

@ytanay I found this issue aws/aws-sdk-go#4649 here.

We will keep track of the issue and let you know if the auto-refresh session is supported in aws-sdk-go (thus in Copilot)

For now, could you stay with the workaround mentioned in the write-up as a temporary fix?

Sorry for the trouble : ( and thanks for raising this issue!

[ytanay]

Just realized I forgot to respond, sorry about that.

Works perfectly, thank you so much for the quick response!

[ShanikaEdiriweera]

Facing the same issue!

Remving the sso_session from the profile fixed for me!

This is how my profile looks like.

[profile my-profile]
sso_account_id = 0333xxxxxxxx
sso_role_name = Developer
region = us-east-1
output = json
sso_start_url = https://d-xxxxxxxxxx.awsapps.com/start#/
sso_region = us-east-1

[huanjani]

Our binary should be updated to the latest SDK version in our latest release, v1.29.0: https://github.com/aws/copilot-cli/releases/tag/v1.29.0, resolving this issue! Thanks!