Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSOProviderInvalidToken: the SSO session has expired or is invalid #26

Closed
sPaCeMoNk3yIam opened this issue Apr 26, 2023 · 6 comments · Fixed by #27
Closed

SSOProviderInvalidToken: the SSO session has expired or is invalid #26

sPaCeMoNk3yIam opened this issue Apr 26, 2023 · 6 comments · Fixed by #27
Assignees
Labels
bug Something isn't working

Comments

@sPaCeMoNk3yIam
Copy link

I'm using the modern recommended SSO auth to work with the AWS CLI. Getting resources works well, but the commands that work via this plugin always return an error and try to seem to look for a wrong sso cache file:

profile "default" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

Command '['lightsailctl', '--plugin', '--input-stdin']' returned non-zero exit status 1.

After unnecessarily adding these two parameters to my profile, I still get:

SSOProviderInvalidToken: the SSO session has expired or is invalid
caused by: open /Users/<USER>/.aws/sso/cache/<ID>.json: no such file or directory

Command '['lightsailctl', '--plugin', '--input-stdin']' returned non-zero exit status 1.

The CLI tries to read from a wrong JSON file.

@paxan
Copy link
Member

paxan commented Apr 26, 2023

Hi @sPaCeMoNk3yIam does your CLI config look similar to this (I grabbed this example from AWS CLI docs)?

[default]
sso_session = my-sso
sso_account_id = 111122223333
sso_role_name = readOnly
region = us-west-2
output = text

[profile user1]
sso_session = my-sso
sso_account_id = 444455556666
sso_role_name = readOnly
region = us-east-1
output = json

[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_registration_scopes = sso:account:access

@paxan
Copy link
Member

paxan commented Apr 26, 2023

@sPaCeMoNk3yIam

I think moving lightsailctl to AWS SDK for Go v2 (from v1) might resolve this issue. Some cursory look into source of both SDKs tells me that SDK v1 only supports legacy SSO config style, while v2 supports both.

I've made a branch move-to-aws-sdk-go-v2. Can you please try getting lightsailctl built from this branch, to see if it recognizes your SSO configuration?

go install github.com/aws/lightsailctl@move-to-aws-sdk-go-v2

Resulting binary, ~/go/bin/lightsailctl, should have this version:

~/go/bin/lightsailctl --version
v1.0.6-fix26

Make sure this new binary is in your PATH.

If you want to undo, and get the currently released binary, just run this command:

go install github.com/aws/lightsailctl@latest

@paxan paxan added the bug Something isn't working label Apr 26, 2023
@paxan
Copy link
Member

paxan commented Apr 26, 2023

Yep v1 of Go SDK doesn't support this SSO config: aws/aws-sdk-go#4649

Looks like v2 of the SDK should work: aws/aws-sdk-go-v2#1903

@paxan paxan self-assigned this Apr 26, 2023
@sPaCeMoNk3yIam
Copy link
Author

sPaCeMoNk3yIam commented May 23, 2023

@sPaCeMoNk3yIam

I think moving lightsailctl to AWS SDK for Go v2 (from v1) might resolve this issue. Some cursory look into source of both SDKs tells me that SDK v1 only supports legacy SSO config style, while v2 supports both.

I've made a branch move-to-aws-sdk-go-v2. Can you please try getting lightsailctl built from this branch, to see if it recognizes your SSO configuration?

go install github.com/aws/lightsailctl@move-to-aws-sdk-go-v2

Resulting binary, ~/go/bin/lightsailctl, should have this version:

~/go/bin/lightsailctl --version
v1.0.6-fix26

Make sure this new binary is in your PATH.

If you want to undo, and get the currently released binary, just run this command:

go install github.com/aws/lightsailctl@latest

It seems to have worked for me! 🚀
I had to delete the ~/.aws/credentials though. This wasn't an issue for the standard AWS CLI commands like get-container-images but for the lightsailctl plugin only.

@paxan paxan closed this as completed in #27 May 29, 2023
@sPaCeMoNk3yIam
Copy link
Author

@paxan Is there a released for this (rather important) patch planned any time soon?

@paxan
Copy link
Member

paxan commented Jul 12, 2023

Done: https://github.com/aws/lightsailctl/releases/tag/v1.0.6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants