Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

graceful handling of expired aws sso credentials #849

Closed
judell opened this issue Jan 6, 2022 · 5 comments
Closed

graceful handling of expired aws sso credentials #849

judell opened this issue Jan 6, 2022 · 5 comments
Labels
stale No recent activity has been detected on this issue/PR and it will be closed

Comments

@judell
Copy link
Contributor

judell commented Jan 6, 2022

I'm closing the following in favor of this issue:

turbot/steampipe#1103
#811

The story so far:

  1. When SSO credentials have expired, Steampipe takes several minutes to report:
Error: InvalidClientTokenId: The security token included in the request is invalid
        status code: 403, request id: bf386d24-c89a-4880-8db2-16a0c72942bb (SQLSTATE HV000)
  1. @dbmurphy has kindly contributed Add sso auto run #847 which aims to automate commands that would otherwise be run manually:
aws sts get-caller-identity --profile PROFILE # check if creds are valid

aws sso login --profile SSO-ReadOnly-605...981 # renew if not

Per #847, there may or may not be a way to automate this flow if the user's setup doesn't accommodate a browser launch.

  1. Even when aws sts get-caller-identity --profile PROFILE reports success, if ~/.aws/config looks like this:
[profile SSO-ReadOnly-605...981]
sso_start_url = https://d-9a672b0642.awsapps.com/start
sso_region = us-east-2
sso_account_id = 605...3981
aws_access_key_id="ASIA...2ORLV"
aws_secret_access_key="ATXO...yE49"
aws_session_token="IQo..."
sso_role_name=SSO-ReadOnly

i.e., includes access_key/secret_key/secret_token from the command line or programmatic access link on the SSO start page, then those invalid credentials evidently override and there is again a several-minute timeout before InvalidClientTokenId is reported.

@cbruno10, @dbmurphy are there any other pieces of this puzzle to include here?
This was referenced Jan 6, 2022
Closed
Closed
Closed
@judell
Copy link
Contributor Author

judell commented Jan 11, 2022

Update/clarification:

When SSO credentials have expired, Steampipe takes several minutes to report

That's only true if ~/.aws/config has explicit credentials that are expired. Otherwise we promptly report

Error: SSOProviderInvalidToken: the SSO session has expired or is invalid

There's no reason to use explicit credentials, though, and we don't say anything about them here, so unless there's another way to trigger a long delay, I think that the original issue is moot.

Ways to improve:

  • A more specific message: "Error: SSOProviderInvalidToken: the SSO session has expired or is invalid. Please run aws sso login --profile PROFILE to reauthorize"

  • Automatically kick off the reauth flow (as Add sso auto run #847 aims to do).

@github-actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

@github-actions github-actions bot added the stale No recent activity has been detected on this issue/PR and it will be closed label Mar 12, 2022
@ParthaI ParthaI removed the stale No recent activity has been detected on this issue/PR and it will be closed label Mar 13, 2022
@github-actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

@github-actions github-actions bot added the stale No recent activity has been detected on this issue/PR and it will be closed label May 12, 2022
@ParthaI ParthaI removed the stale No recent activity has been detected on this issue/PR and it will be closed label May 13, 2022
@github-actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

@github-actions github-actions bot added the stale No recent activity has been detected on this issue/PR and it will be closed label Jul 12, 2022
@github-actions
Copy link

This issue was closed because it has been stalled for 90 days with no activity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale No recent activity has been detected on this issue/PR and it will be closed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@judell @ParthaI