getting Token has expired and refresh failed after successful login

[avoidik]

hello,

could you please suggest what I'm doing wrong here? my setup only works while the first SSO session is active, after that I'm getting the following, for example:

$ aws-sso-util login --profile aaaa
Logging in https://xyz.awsapps.com/start
Login succeeded, valid until 2022-12-01 00:42 EET
$ aws sts get-caller-identity --profile aaaa
Error when retrieving token from sso: Token has expired and refresh failed

my aaaa profile was initially configured in this way:

$ aws-sso-util configure profile aaaa
SSO session name (Recommended): bbbb-cli
SSO start URL [https://xyz.awsapps.com/start]:
SSO region [eu-central-1]:
SSO registration scopes [sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.eu-central-1.amazonaws.com/

Then enter the code:

XXXX-XXXX
There are X AWS accounts available to you.
Using the account ID 123456789012
The only role available to you is: iam-role-name
Using the role name "iam-role-name"
CLI default client Region [eu-central-1]:
CLI default output format [None]: json

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile aaaa

if I'd remove ~/.aws/ folder and try again to reconfigure the profile it works, but again while the SSO session is active

sample ~/.aws/config file

[profile aaaa]
sso_start_url = https://xyz.awsapps.com/start
sso_region = eu-central-1
region = eu-central-1
credential_process = aws-sso-util credential-process --profile aaaa
sso_session = bbbb-cli
sso_account_id = 123456789012
sso_role_name = iam-role-name
output = json

[sso-session bbbb-cli]
sso_start_url = https://xyz.awsapps.com/start
sso_region = eu-central-1
sso_registration_scopes = sso:account:access

my ~/.profile has these environment variables

export AWS_CONFIGURE_SSO_DEFAULT_SSO_START_URL="https://xyz.awsapps.com/start"
export AWS_CONFIGURE_DEFAULT_SSO_REGION="eu-central-1"
export AWS_CONFIGURE_DEFAULT_REGION="eu-central-1"
export AWS_DEFAULT_REGION="eu-central-1"

$ aws --version
aws-cli/2.9.0 Python/3.9.11 Linux/4.4.0-19041-Microsoft exe/x86_64.ubuntu.22 prompt/off

$ pip freeze --local | grep -iE '(aws|boto)'
aws-error-utils==1.3.0
aws-sso-lib==1.13.0
aws-sso-util==4.30.0
boto3==1.26.13
botocore==1.29.13

[avoidik]

it works even after SSO session has expired if I remove this line from ~/.aws/config

sso_session = bbbb-cli

[benkehoe]

1. Does it work if you use aws sso login --profile aaaa instead?
2. What's the output of aws-sso-util check --check-profile aaaa?
3. Is this fixed by reverting the AWS CLI to a version before 2.9.0? https://docs.aws.amazon.com/cli/latest/userguide/getting-started-version.html

[avoidik]

this is what I've got for expired session (I decided to run second item first)

$ aws-sso-util check --check-profile aaaa
aws-sso-util: v4.30.0; aws-sso-lib: v1.13.0; time: 2022-12-01T11:42:16Z
Configuration for profile aaaa:
Start URL:  https://xyz.awsapps.com/start
Region:     eu-central-1
Account ID: 123456789012
Role name:  iam-role-name
AWS SSO instance start URL https://xyz.awsapps.com/start from CLI-specified profile aaaa and region eu-central-1 from CLI-specified profile aaaa, from specifier https://xyz.awsapps.com/start from CLI-specified profile aaaa and region eu-central-1 from CLI-specified profile aaaa
AWS SSO token cache entry is valid until 2022-12-01T18:39:20Z (cached at 2022-12-01T10:39:26Z)
Access found for iam-role-name in account 123456789012 (aaaa-bbbb-ppp)

$ aws sts get-caller-identity
Error when retrieving token from sso: Token has expired and refresh failed

then I run

$ aws sso login --profile aaaa

which eventually fixed the expired session issue

[avoidik]

while following a sso login journey in a browser I saw that aws sso login --profile aaaa has been using bbbb-cli in approval process, but aws-sso-util login isn't

[benkehoe]

A change to the CLI/boto3 to support refresh tokens seems to be the cause, but I'm not going to be able to figure out the fix for a couple days at least.

[avoidik]

I think I can summarize this issue to - for some reason aws-sso-util login is ignoring session profile

[preethakrish]

As long as you signed in to IAM Identity Center and those cached credentials are not expired, the AWS CLI automatically renews expired AWS credentials when needed. However, if your IAM Identity Center credentials expire, you must explicitly renew them by logging in to your IAM Identity Center account again. by using following method:

$ aws sso login --profile urprofilename
The AWS CLI opens your default browser and verifies your IAM Identity Center log in.

you can verify same by using following command:
aws s3 ls --profile urprofilename

[avoidik]

Yup, that's what I have preventively been doing, but leveraging the tool itself, so that it picks a correct SSO profile automatically

$ aws-sso-util login

[preethakrish]

i have installed aws-sso-util utility and configured my profile aws-sso-util configure profile, after configuration when i used aws-sso-util login,it attempted to login IAM Identity Center, once login succeed, it saying Login succeeded, valid until 2024-02-13 19:36 India Standard Time, does it again temporary access , cant make it as permanent ?

[preethakrish]

wht i felt aws-sso-util configure profile and aws configure sso , both does same job , also aws sso login --profile and aws-sso-util login ,again does same job, no difference.

[rohit901]

I have somewhat of a similar issue, and it is described here: aws/aws-cli#7656 (comment)

For those interested, there seems to be a possible solution of increasing the default IAM session time.