Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

existing entries in credentials file error #60

Closed
heydonovan opened this issue Mar 2, 2022 · 3 comments
Closed

existing entries in credentials file error #60

heydonovan opened this issue Mar 2, 2022 · 3 comments

Comments

@heydonovan
Copy link

heydonovan commented Mar 2, 2022
edited

We are unable to refresh tokens automatically if the session is expired. I created a new profile, test123, copy/pasted it, and it worked just fine. The workaround is to run a rm -f ~/.aws/credentials every time this happens, but I don't believe we should have to do this. Is this a bug?

I've tried to automate this but couldn't get it to work:

credential_process = bash -c "rm -f ~/.aws/credentials; gsts --idp-id=REDACTED --sp-id=REDACTED --aws-role-arn=arn:aws:iam::REDACTED:role/REDACTED --json"

$ cat ~/.aws/config
[default]
output = json
region = us-east-1
source_profile = heydonovan

[profile heydonovan]
credential_process = gsts --idp-id=REDACTED --sp-id=REDACTED --aws-profile=heydonovan --aws-role-arn=arn:aws:iam::REDACTED:role/REDACTED --json
output = json
region = us-east-1

[profile test123]
credential_process = gsts --idp-id=REDACTED --sp-id=REDACTED --aws-profile=test123 --aws-role-arn=arn:aws:iam::REDACTED:role/REDACTED --json
output = json
region = us-east-1

$ aws sts get-caller-identity --profile heydonovan

An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired

$ aws sts get-caller-identity --profile test123
{
    "UserId": "REDACTED:REDACTED",
    "Account": "REDACTED",
    "Arn": "arn:aws:sts::REDACED:assumed-role/REDACTED/REDACTED"
}

$ cat ~/.aws/credentials

[heydonovan]
aws_access_key_id=REDACTED
aws_role_arn=arn:aws:iam::REDACTED:role/REDACTED
aws_secret_access_key=REDACTED
aws_session_expiration=2022-03-02T05:58:20.000Z
aws_session_token="REDACTED"

[test123]
aws_access_key_id=REDACTED
aws_role_arn=arn:aws:iam::REDACTED:role/REDACTED
aws_secret_access_key=REDACTED
aws_session_expiration=2022-03-03T04:48:11.000Z
aws_session_token="REDACTED"
@heydonovan heydonovan changed the title bug with pre-existing entries in credentials existing entries in credentials file causes ExpiredToken error Mar 2, 2022
@heydonovan heydonovan changed the title existing entries in credentials file causes ExpiredToken error existing entries in credentials file error Mar 2, 2022
@heydonovan heydonovan mentioned this issue Mar 2, 2022
Closed
@nickphbrown
Copy link

@heydonovan FYI this is an aws-cli issue, see aws/aws-cli#5109

@heydonovan
Copy link
Author

@nickphbrown Thanks for the heads up! I've added a +1 to the thread and made a comment.

@ruimarinho
Copy link
Owner

This has been addressed on the next major of gsts which focus its functionality on serving as a good credential_process citizen (landing via #82).

Thanks for your feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ruimarinho @heydonovan @nickphbrown