Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fails to read cached SSO token when AWS profile config includes a sso_session attribute #771

Open
schrobot opened this issue Mar 21, 2024 · 5 comments
Open

fails to read cached SSO token when AWS profile config includes a sso_session attribute #771

schrobot opened this issue Mar 21, 2024 · 5 comments

Comments

@schrobot
Copy link

schrobot commented Mar 21, 2024
edited
Loading

see aws/aws-sdk-go#5184

Reproduction Steps

  1. Create an AWS profile in ~/.aws/config enabled for SSO, that has a session-name
  2. Run aws sso login --profile <that profile>
  3. Try to pull a docker image, and it fails
  4. Remove the session_name attribute, and login again
  5. It will work
@schrobot
Copy link
Author

schrobot commented Apr 16, 2024
edited
Loading

From this issue it seems like if a new release is cut from the current source on main, the issue may be resolved. The released version's aws-sdk-go-v2 dependency is much older than what is currently on main.

@austinvazquez
Copy link
Contributor

austinvazquez commented May 15, 2024
edited
Loading

Hi @schrobot, version 0.8.0 has been released; however, I was unable to reproduce the issue on the previous v0.7.1 version. Can you confirm the Amazon ECR credential helper version you encountered the issue? i.e. output from docker-credential-ecr-login -v

Also as a sanity check, can you confirm you set the AWS_PROFILE environment variable to the named profile for which the session was configured?

@endzyme
Copy link

endzyme commented Feb 12, 2025

I'm still experiencing this issue. (v0.9.0)

@Shubhranshu153
Copy link
Contributor

@endzyme
Just to confirm the sso login and the AWS_PROFILE created are the identical as a sanity check.
Will like the steps to recreate this issue. Seems to be transient and difficult to reproduce.

Thank You.

@endzyme
Copy link

endzyme commented Feb 24, 2025

@endzyme
Just to confirm the sso login and the AWS_PROFILE created are the identical as a sanity check.
Will like the steps to recreate this issue. Seems to be transient and difficult to reproduce.

Thank You.

Yes, I can confirm it's the same AWS_PROFILE. I think the issue revolves around the refresh interval. I don't have the details handy, but it seems like there is an initial token that is used for access that has a shorter expiration than the token you have for refreshing that access token. The helper doesn't appear to ever try to refresh. It just says the token's invalid.

An example that you could try to reproduce is allowing SSO users to have a maximum session duration of 12 hours, but a token duration of two hours.

I'm actually away from work for a few weeks and cannot test but that's what I recall for now. I can help reproduce it when I'm back in mid march.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@endzyme @schrobot @Shubhranshu153 @austinvazquez