Support token auto refresh

[dm3ch]

Now AWS supports refresh tokens and in some cases IAM Identity Center returns you a refresh token.

Nowdays, AWS cli is able to refresh token, bur aws2-wrap is not able to do that and just requests to make login insted

[pcolmer]

Hello

Thank you for this issue. Can you please provide a link to any information you have about the AWS CLI being able to refresh the token?

[dm3ch]

Here's official documentation, but it doesn't contain any specific commands that you need call to refresh token:
https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html

[pcolmer]

Thanks for that.

It looks like the refresh is happening automatically whenever the named profile is used. The distinction between a refreshable and non-refreshable token seems to come down to how the profile is defined.

Non-refreshable:

[profile my-dev-profile]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789011
sso_role_name = readOnly
region = us-west-2
output = json

Refreshable:

[profile my-dev-profile]
sso_session = my-sso
sso_account_id = 123456789011
sso_role_name = readOnly
region = us-west-2
output = json

[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_registration_scopes = sso:account:access

So, if aws2-wrap is asked to use a profile that specifies sso_session, it could be inferred that this is a refreshable token and it should be sufficient to try to use the profile (e.g. with sts get-caller-identity) and see if that works.

I'll do some testing and see if I can make it work reliably.

[pcolmer]

Just spotted this note in the documentation:

Note
If you are signed in to the sso-session you are updating, refresh your token by running the aws sso login command.

[dm3ch]

About refreshing, when token is expired when you are calling aws login - you are still redirected to browser. So it's not refresh, it seems to be relogin.

The AWS cli itself doesn't require executing login command to refresh. It refreshes token automatically whenever you are calling any cli command using profile.

[pcolmer]

There is a distinct lack of clarity/documentation around what is happening here, unfortunately. I can see two timeouts in the cache file:

"expiresAt": "2023-03-04T11:35:37Z" for the token and

"registrationExpiresAt": "2023-06-02T10:32:24Z" for the login registration.

This is going to be interesting to see ... but time-consuming to test :). I'll wait to see what happens when I try to use the token at, say, 11:45 and then see what changes in the cache file.

[dm3ch]

Hope your tests will go well.

I have only expiresAt in ~/.aws/sso/cache/ file. But as I realized token expires in just an hour and expiresAt as far as I understood relates to the refresh token lifetime.

So probably you don't need to wait so long to test token refresh.

[jchandramouli]

Any updates on this? Currently aws2-wrap supports aws sso configuration without providing sso session name. If sso-session is provided it errors out with this msg

'sso_start_url' not found in profile: {'sso_session': 'temp-session', 'sso_account_id': '1234567890', 'sso_role_name': 'ViewOnly', 'region': 'us-east-1', 'output': 'json', 'profile_name': 'test-dev'}

[pcolmer]

Any updates on this?

I'm sorry but I've been busy on other work. If anyone wants to have a go at submitting a change, I'd be happy to review it.

[pcolmer]

Fixed in version 1.4.0 thanks to @matan129