aws configure sso error : (InvalidRequestException) when calling the StartDeviceAuthorization operation

[rasheedzrt]

Hi,

I was trying to configure sso using azuread but I'm seeing this below error.

An error occurred (InvalidRequestException) when calling the StartDeviceAuthorization operation:

can anyone please suggest why do we see this error, I was going through the aws documentation and I see that this could be due to some parameters missing and other other issues.

I've tried to setup debug parameteres too but couldn't get much info.

`[default]
region = us-east-1
saml_auth_url = https://myapps.microsoft.com/signin/app-id?tenantId=client-id
saml_username = [email protected]
saml_provider = azuread
output = json

[profile nonprodus]
region = us-east-1
saml_auth_url = https://myapps.microsoft.com/signin/app-id?tenantId=client-id
saml_username = [email protected]
role_arn = arn:aws:iam::account-number:role/PowerUser
source_profile = default

[profile produs]
region = us-east-1
saml_auth_url = https://myapps.microsoft.com/signin/app-id?tenantId=client-id
role_arn = arn:aws:iam::account-number:role/PowerUser
source_profile = default`

Thanks,
Rasheed

[aBurmeseDev]

Hi @rasheedzrt, thanks for reaching out and sorry to hear you're having issues.

As I'm trying to locate the issue, could you share the debug logs by adding --debug to your CLI command? Also which CLI version are you using?

Best,
John

[rasheedzrt]

aws configure sso --debug
2023-01-22 08:27:59,663 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.2.5 Python/3.8.8 Windows/10 exe/AMD64
2023-01-22 08:27:59,663 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['configure', 'sso', '--debug']
2023-01-22 08:27:59,716 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_s3 at 0x000002577E1A9A60>
2023-01-22 08:27:59,716 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_ddb at 0x000002577D7E9820>
2023-01-22 08:27:59,716 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.configure.configure.ConfigureCommand'>>
2023-01-22 08:27:59,716 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x000002577D78BF70>
2023-01-22 08:27:59,716 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x000002577D7980D0>
2023-01-22 08:27:59,716 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function alias_opsworks_cm at 0x000002577E1B94C0>
2023-01-22 08:27:59,716 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_history_commands at 0x000002577D833670>
2023-01-22 08:27:59,716 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.devcommands.CLIDevCommand'>>
2023-01-22 08:27:59,716 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_waiters at 0x000002577E1B1700>
2023-01-22 08:27:59,732 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\data\cli.json
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_types at 0x000002577E0E7670>
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function no_sign_request at 0x000002577E0EA1F0>
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_verify_ssl at 0x000002577E0EA160>
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_read_timeout at 0x000002577E0EA310>
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_connect_timeout at 0x000002577E0EA280>
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <built-in method update of dict object at 0x000002577E250780>
2023-01-22 08:27:59,732 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.2.5 Python/3.8.8 Windows/10 exe/AMD64 prompt/off
2023-01-22 08:27:59,732 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['configure', 'sso', '--debug']
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x000002577E1A80D0>
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x000002577D52E8B0>
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x000002577E213EE0>
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x000002577D527CA0>
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x000002577D58A550>
2023-01-22 08:27:59,732 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x000002577D833550>
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x000002577D7E2700>
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event building-command-table.configure: calling handler <function _add_wizard_command at 0x000002577E213E50>
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event building-command-table.configure: calling handler <function add_waiters at 0x000002577E1B1700>
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.configure.anonymous: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000002577E297C40>
2023-01-22 08:27:59,732 - MainThread - botocore.hooks - DEBUG - Event building-command-table.configure_sso: calling handler <function add_waiters at 0x000002577E1B1700>
SSO start URL [None]: https://myapps.microsoft.com/signin/766e7e73-4a56-4bfd-b5ca-ac29bf3645b6?tenantId=8cc434d7-97d0-4
7d3-b5c5-14fe0e33e34b
2023-01-22 08:28:23,009 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\botocore\data\endpoints.json
2023-01-22 08:28:23,061 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\botocore\data\sso-oidc\2019-06-10\service-2.json
SSO Region [None]: us-east-1
2023-01-22 08:28:28,235 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x000002577CD435E0>
2023-01-22 08:28:28,235 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.sso-oidc: calling handler <function add_generate_presigned_url at 0x000002577CCF28B0>
2023-01-22 08:28:28,235 - MainThread - botocore.endpoint - DEBUG - Setting oidc timeout as (60, 60)
2023-01-22 08:28:28,235 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.sso-oidc.StartDeviceAuthorization: calling handler <function base64_decode_input_blobs at 0x000002577E214670>
2023-01-22 08:28:28,235 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.sso-oidc.StartDeviceAuthorization: calling handler <function generate_idempotent_uuid at 0x000002577CD615E0>
2023-01-22 08:28:28,235 - MainThread - botocore.hooks - DEBUG - Event before-call.sso-oidc.StartDeviceAuthorization: calling handler <function inject_api_version_header_if_needed at 0x000002577CD62E50>
2023-01-22 08:28:28,235 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=StartDeviceAuthorization) with params: {'url_path': '/device_authorization', 'query_string': {}, 'method': 'POST', 'headers': {'User-Agent': 'aws-cli/2.2.5 Python/3.8.8 Windows/10 exe/AMD64 prompt/off command/configure.sso'}, 'body': b'{"clientId": "eIjN3MoFwGZ3QPtO9N-eS3VzLWVhc3QtMQ", "clientSecret": "secret-hidden", "startUrl": "https://myapps.microsoft.com/signin/766e7e73-4a56-4bfd-b5ca-ac29bf3645b6?tenantId=8cc434d7-97d0-47d3-b5c5-14fe0e33e34b"}', 'url': 'https://oidc.us-east-1.amazonaws.com/device_authorization', 'context': {'client_region': 'us-east-1', 'client_config': <botocore.config.Config object at 0x000002577E83B9A0>, 'has_streaming_input': False, 'auth_type': 'none'}}
2023-01-22 08:28:28,235 - MainThread - botocore.hooks - DEBUG - Event request-created.sso-oidc.StartDeviceAuthorization: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x000002577E83BE80>>
2023-01-22 08:28:28,235 - MainThread - botocore.hooks - DEBUG - Event choose-signer.sso-oidc.StartDeviceAuthorization: calling handler <function set_operation_specific_signer at 0x000002577CD614C0>
2023-01-22 08:28:28,235 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://oidc.us-east-1.amazonaws.com/device_authorization, headers={'User-Agent': b'aws-cli/2.2.5 Python/3.8.8 Windows/10 exe/AMD64 prompt/off command/configure.sso', 'Content-Length': '1439'}>
2023-01-22 08:28:28,235 - MainThread - botocore.httpsession - DEBUG - Certificate path: C:\Program Files\Amazon\AWSCLIV2\botocore\cacert.pem
2023-01-22 08:28:28,235 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): oidc.us-east-1.amazonaws.com:443
2023-01-22 08:28:28,690 - MainThread - urllib3.connectionpool - DEBUG - https://oidc.us-east-1.amazonaws.com:443 "POST /device_authorization HTTP/1.1" 400 65
2023-01-22 08:28:28,690 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Sun, 22 Jan 2023 14:28:29 GMT', 'Content-Type': 'application/json', 'Content-Length': '65', 'Connection': 'keep-alive', 'x-amzn-RequestId': 'fc1f5480-16bd-4890-80d2-d3b80d4470b9', 'x-amzn-ErrorType': 'InvalidRequestException:http://internal.amazon.com/coral/com.amazonaws.sso.oidc/'}
2023-01-22 08:28:28,690 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"error":"invalid_request","error_description":"Invalid request"}'
2023-01-22 08:28:28,690 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Sun, 22 Jan 2023 14:28:29 GMT', 'Content-Type': 'application/json', 'Content-Length': '65', 'Connection': 'keep-alive', 'x-amzn-RequestId': 'fc1f5480-16bd-4890-80d2-d3b80d4470b9', 'x-amzn-ErrorType': 'InvalidRequestException:http://internal.amazon.com/coral/com.amazonaws.sso.oidc/'}
2023-01-22 08:28:28,690 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"error":"invalid_request","error_description":"Invalid request"}'
2023-01-22 08:28:28,690 - MainThread - botocore.hooks - DEBUG - Event needs-retry.sso-oidc.StartDeviceAuthorization: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x000002577E83E970>>
2023-01-22 08:28:28,690 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2023-01-22 08:28:28,690 - MainThread - botocore.hooks - DEBUG - Event after-call.sso-oidc.StartDeviceAuthorization: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x000002577E836DC0>>
2023-01-22 08:28:28,690 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
File "awscli\clidriver.py", line 459, in main
File "awscli\customizations\commands.py", line 197, in call
File "awscli\customizations\commands.py", line 191, in call
File "awscli\customizations\configure\sso.py", line 298, in _run_main
File "awscli\customizations\sso\utils.py", line 57, in do_sso_login
File "botocore\utils.py", line 2424, in fetch_token
File "botocore\utils.py", line 2419, in _token
File "botocore\utils.py", line 2374, in _poll_for_token
File "botocore\utils.py", line 2355, in _authorize_client
File "botocore\client.py", line 278, in _api_call
File "botocore\client.py", line 597, in _make_api_call
botocore.errorfactory.InvalidRequestException: An error occurred (InvalidRequestException) when calling the StartDeviceAuthorization operation:

An error occurred (InvalidRequestException) when calling the StartDeviceAuthorization operation:

[rasheedzrt]

@aBurmeseDev,

Please find the version info.

aws --version
aws-cli/2.2.5 Python/3.8.8 Windows/10 exe/AMD64 prompt/off

Thanks

[zvictor]

Same here.

$ aws --version
aws-cli/2.9.23 Python/3.11.2 Darwin/22.3.0 source/x86_64 prompt/off

$ aws configure sso --debug
...
SSO region [None]: eu-west-1
SSO registration scopes [sso:account:access]:
2023-02-15 11:59:40,788 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x1049a6c00>
2023-02-15 11:59:40,816 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.9.23/libexec/lib/python3.11/site-packages/awscli/botocore/data/sso-oidc/2019-06-10/endpoint-rule-set-1.json
2023-02-15 11:59:40,817 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.9.23/libexec/lib/python3.11/site-packages/awscli/botocore/data/partitions.json
2023-02-15 11:59:40,817 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.sso-oidc: calling handler <function add_generate_presigned_url at 0x1048fa0c0>
2023-02-15 11:59:40,856 - MainThread - botocore.endpoint - DEBUG - Setting oidc timeout as (60, 60)
2023-02-15 11:59:40,857 - MainThread - botocore.regions - DEBUG - Calling endpoint provider with parameters: {'Region': 'eu-west-1', 'UseDualStack': False, 'UseFIPS': False}
2023-02-15 11:59:40,857 - MainThread - botocore.regions - DEBUG - Endpoint provider result: https://oidc.eu-west-1.amazonaws.com
2023-02-15 11:59:40,857 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.sso-oidc.StartDeviceAuthorization: calling handler <function base64_decode_input_blobs at 0x105fc5440>
2023-02-15 11:59:40,857 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.sso-oidc.StartDeviceAuthorization: calling handler <function generate_idempotent_uuid at 0x1049c4fe0>
2023-02-15 11:59:40,858 - MainThread - botocore.hooks - DEBUG - Event before-call.sso-oidc.StartDeviceAuthorization: calling handler <function inject_api_version_header_if_needed at 0x1049c6ac0>
2023-02-15 11:59:40,858 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=StartDeviceAuthorization) with params: {'url_path': '/device_authorization', 'query_string': {}, 'method': 'POST', 'headers': {'Content-Type': 'application/json', 'User-Agent': 'aws-cli/2.9.23 Python/3.11.2 Darwin/22.3.0 source/x86_64 prompt/off command/configure.sso'}, 'body': b'{"clientId": "EVeRKYPX3Wtmc0wWv7WWkmV1LXdlc3QtMQ", "clientSecret": "eyJraWQiOiJrZXktMTU2Njk2ODAxMyIsImFsZyI6IkhTMzg0In0.eyJzZXJpYWxpemVkIjoie1wiY2xpZW50SWRcIjp7XCJ2YWx1ZVwiOlwiRVZlUktZUFgzV3RtYzB3V3Y3V1drbVYxTFhkbGMzUXRNUVwifSxcImlkZW1wb3RlbnRLZXlcIjpudWxsLFwidGVuYW50SWRcIjpudWxsLFwiY2xpZW50TmFtZVwiOlwiYm90b2NvcmUtY2xpZW50LXp2aWN0b3ItZGV2XCIsXCJjbGllbnRUeXBlXCI6XCJQVUJMSUNcIixcInRlbXBsYXRlQXJuXCI6bnVsbCxcInRlbXBsYXRlQ29udGV4dFwiOm51bGwsXCJleHBpcmF0aW9uVGltZXN0YW1wXCI6MTY4NDI0OTA0MC4wODI5MTUwMDAsXCJjcmVhdGVkVGltZXN0YW1wXCI6MTY3NjQ3MzA0MC4wODI5MTUwMDAsXCJ1cGRhdGVkVGltZXN0YW1wXCI6MTY3NjQ3MzA0MC4wODI5MTUwMDAsXCJjcmVhdGVkQnlcIjpudWxsLFwidXBkYXRlZEJ5XCI6bnVsbCxcInN0YXR1c1wiOm51bGwsXCJpbml0aWF0ZUxvZ2luVXJpXCI6bnVsbCxcImVudGl0bGVkUmVzb3VyY2VJZFwiOm51bGwsXCJlbnRpdGxlZFJlc291cmNlQ29udGFpbmVySWRcIjpudWxsLFwiZXh0ZXJuYWxJZFwiOm51bGwsXCJzb2Z0d2FyZUlkXCI6bnVsbCxcInNjb3Blc1wiOlt7XCJmcmllbmRseUlkXCI6XCJzc29cIixcInVzZUNhc2VBY3Rpb25cIjpcImFjY291bnQ6YWNjZXNzXCIsXCJhcHBsaWNhdGlvbkFyblwiOm51bGwsXCJ0eXBlXCI6XCJJbW11dGFibGVBY2Nlc3NTY29wZVwiLFwic2NvcGVUeXBlXCI6XCJBQ0NFU1NfU0NPUEVcIixcImZ1bGxTY29wZVwiOlwic3NvOmFjY291bnQ6YWNjZXNzXCIsXCJzdGF0dXNcIjpcIklOSVRJQUxcIn1dLFwiYXV0aGVudGljYXRpb25Db25maWd1cmF0aW9uXCI6bnVsbCxcImVuYWJsZWRHcmFudHNcIjpudWxsLFwic2hvdWxkR2V0VmFsdWVGcm9tVGVtcGxhdGVcIjp0cnVlLFwiaGFzSW5pdGlhbFNjb3Blc1wiOnRydWUsXCJoYXNSZXF1ZXN0ZWRTY29wZXNcIjpmYWxzZSxcImFyZUFsbFNjb3Blc0NvbnNlbnRlZFRvXCI6ZmFsc2UsXCJncm91cFNjb3Blc0J5RnJpZW5kbHlJZFwiOntcInNzb1wiOlt7XCJmcmllbmRseUlkXCI6XCJzc29cIixcInVzZUNhc2VBY3Rpb25cIjpcImFjY291bnQ6YWNjZXNzXCIsXCJhcHBsaWNhdGlvbkFyblwiOm51bGwsXCJ0eXBlXCI6XCJJbW11dGFibGVBY2Nlc3NTY29wZVwiLFwic2NvcGVUeXBlXCI6XCJBQ0NFU1NfU0NPUEVcIixcImZ1bGxTY29wZVwiOlwic3NvOmFjY291bnQ6YWNjZXNzXCIsXCJzdGF0dXNcIjpcIklOSVRJQUxcIn1dfSxcImNvbnRhaW5zT25seVNzb1Njb3Blc1wiOnRydWUsXCJpc0V4cGlyZWRcIjpmYWxzZX0ifQ.KjKyfRu7yYZuv66JwKp1yJoo22H6WZhyTL8l-Ier1h4TNzMxMGgr7CQ54Y1JMaCJ", "startUrl": "https://zvictor.signin.aws.amazon.com/console"}', 'url': 'https://oidc.eu-west-1.amazonaws.com/device_authorization', 'context': {'client_region': 'eu-west-1', 'client_config': <botocore.config.Config object at 0x106837310>, 'has_streaming_input': False, 'auth_type': 'none'}}
2023-02-15 11:59:40,858 - MainThread - botocore.hooks - DEBUG - Event request-created.sso-oidc.StartDeviceAuthorization: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x106800f10>>
2023-02-15 11:59:40,858 - MainThread - botocore.hooks - DEBUG - Event choose-signer.sso-oidc.StartDeviceAuthorization: calling handler <function set_operation_specific_signer at 0x1049c4ea0>
2023-02-15 11:59:40,858 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://oidc.eu-west-1.amazonaws.com/device_authorization, headers={'Content-Type': b'application/json', 'User-Agent': b'aws-cli/2.9.23 Python/3.11.2 Darwin/22.3.0 source/x86_64 prompt/off command/configure.sso', 'Content-Length': '1938'}>
2023-02-15 11:59:40,859 - MainThread - botocore.httpsession - DEBUG - Certificate path: /usr/local/Cellar/awscli/2.9.23/libexec/lib/python3.11/site-packages/awscli/botocore/cacert.pem
2023-02-15 11:59:40,859 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): oidc.eu-west-1.amazonaws.com:443
2023-02-15 11:59:41,935 - MainThread - urllib3.connectionpool - DEBUG - https://oidc.eu-west-1.amazonaws.com:443 "POST /device_authorization HTTP/1.1" 400 65
2023-02-15 11:59:41,936 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Wed, 15 Feb 2023 14:59:42 GMT', 'Content-Type': 'application/json', 'Content-Length': '65', 'Connection': 'keep-alive', 'x-amzn-RequestId': '91ebc35d-31be-4721-97bf-1d8ae9e02789', 'x-amzn-ErrorType': 'InvalidRequestException:http://internal.amazon.com/coral/com.amazonaws.sso.oidc/'}
2023-02-15 11:59:41,936 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"error":"invalid_request","error_description":"Invalid request"}'
2023-02-15 11:59:41,936 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Wed, 15 Feb 2023 14:59:42 GMT', 'Content-Type': 'application/json', 'Content-Length': '65', 'Connection': 'keep-alive', 'x-amzn-RequestId': '91ebc35d-31be-4721-97bf-1d8ae9e02789', 'x-amzn-ErrorType': 'InvalidRequestException:http://internal.amazon.com/coral/com.amazonaws.sso.oidc/'}
2023-02-15 11:59:41,936 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"error":"invalid_request","error_description":"Invalid request"}'
2023-02-15 11:59:41,936 - MainThread - botocore.hooks - DEBUG - Event needs-retry.sso-oidc.StartDeviceAuthorization: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x106838e90>>
2023-02-15 11:59:41,937 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2023-02-15 11:59:41,937 - MainThread - botocore.hooks - DEBUG - Event after-call.sso-oidc.StartDeviceAuthorization: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x1067ee490>>
2023-02-15 11:59:41,938 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "/usr/local/Cellar/awscli/2.9.23/libexec/lib/python3.11/site-packages/awscli/clidriver.py", line 460, in main
    return command_table[parsed_args.command](remaining, parsed_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/awscli/2.9.23/libexec/lib/python3.11/site-packages/awscli/customizations/commands.py", line 151, in __call__
    return self._subcommand_table[subcommand_name](
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/awscli/2.9.23/libexec/lib/python3.11/site-packages/awscli/customizations/commands.py", line 205, in __call__
    rc = self._run_main(parsed_args, parsed_globals)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/awscli/2.9.23/libexec/lib/python3.11/site-packages/awscli/customizations/configure/sso.py", line 516, in _run_main
    sso_token = self._sso_login(
                ^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/awscli/2.9.23/libexec/lib/python3.11/site-packages/awscli/customizations/sso/utils.py", line 72, in do_sso_login
    return token_fetcher.fetch_token(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/awscli/2.9.23/libexec/lib/python3.11/site-packages/awscli/botocore/utils.py", line 3052, in fetch_token
    return self._token(
           ^^^^^^^^^^^^
  File "/usr/local/Cellar/awscli/2.9.23/libexec/lib/python3.11/site-packages/awscli/botocore/utils.py", line 3037, in _token
    token = self._poll_for_token(
            ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/awscli/2.9.23/libexec/lib/python3.11/site-packages/awscli/botocore/utils.py", line 2952, in _poll_for_token
    authorization = self._authorize_client(start_url, registration)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/awscli/2.9.23/libexec/lib/python3.11/site-packages/awscli/botocore/utils.py", line 2929, in _authorize_client
    response = self._client.start_device_authorization(
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/awscli/2.9.23/libexec/lib/python3.11/site-packages/awscli/botocore/client.py", line 341, in _api_call
    return self._make_api_call(operation_name, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/awscli/2.9.23/libexec/lib/python3.11/site-packages/awscli/botocore/client.py", line 697, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.InvalidRequestException: An error occurred (InvalidRequestException) when calling the StartDeviceAuthorization operation:

An error occurred (InvalidRequestException) when calling the StartDeviceAuthorization operation:

[fasterinnerlooper]

The issue with me was that the Authentication URL was incorrect. In my case, I have sso_start_url as a parameter in my config file, and there was an extra character in there.

[CollinAlpert]

This was it, thanks so much!

[hdodov]

We're using Okta and I was getting the same error. I ended up having to use okta-aws-cli-assume-role. After that, I could just call okta-aws default sts get-caller-identity and that would generate credentials for me.

[fdreger]

Same error. It seems (looking at the logs) that there is a silly error with marshalling a bootcore.config.Config instance - instead of a proper JSON objects, a string <bootcore.config.Config object at 0x00000012312312312> is injected into the request, triggering a 400 response (and justly so, the request is broken).

Possibly, an update of bootcore changed a map to an object. Looks like a simple and very necessary fix.

[aogier]

Same error. It seems (looking at the logs) that there is a silly error with marshalling a bootcore.config.Config instance - instead of a proper JSON objects, a string <bootcore.config.Config object at 0x00000012312312312> is injected into the request, triggering a 400 response (and justly so, the request is broken).

Possibly, an update of bootcore changed a map to an object. Looks like a simple and very necessary fix.

(un?)fortunately, that's not the case. Sniffing traffic reveal such a request for the 400 one:

#POSTed req:
{
    "clientId": "xxx",
    "clientSecret": "xxx",
    "startUrl": "xxx"
}

# response:
# headers:
# x-amzn-RequestId:  xxx
# x-amzn-ErrorType:  InvalidRequestException:http://internal.amazon.com/coral/com.amazonaws.sso.oidc/

{
    "error": "invalid_request",
    "error_description": "Invalid request"
}

so no marshaling errors here...

[aogier]

just for sake of completeness this is the payload which gets received in the first request then posted to the 400 one:

{
  "clientId": {
    "value": "Bg3CWOFgn-JHWFDg3cDx5GV1LWNlbnRyYWwtMQ"
  },
  "idempotentKey": null,
  "tenantId": null,
  "clientName": "botocore-client-u",
  "clientType": "PUBLIC",
  "templateArn": null,
  "templateContext": null,
  "expirationTimestamp": 1693413579.485812,
  "createdTimestamp": 1685637579.485812,
  "updatedTimestamp": 1685637579.485812,
  "createdBy": null,
  "updatedBy": null,
  "status": null,
  "initiateLoginUri": null,
  "entitledResourceId": null,
  "entitledResourceContainerId": null,
  "externalId": null,
  "softwareId": null,
  "scopes": [
    {
      "friendlyId": "sso",
      "useCaseAction": "account:access",
      "applicationArn": null,
      "scopeType": "ACCESS_SCOPE",
      "type": "ImmutableAccessScope",
      "fullScope": "sso:account:access",
      "status": "INITIAL"
    }
  ],
  "authenticationConfiguration": null,
  "enabledGrants": null,
  "shouldGetValueFromTemplate": true,
  "hasInitialScopes": true,
  "hasRequestedScopes": false,
  "areAllScopesConsentedTo": false,
  "groupScopesByFriendlyId": {
    "sso": [
      {
        "friendlyId": "sso",
        "useCaseAction": "account:access",
        "applicationArn": null,
        "scopeType": "ACCESS_SCOPE",
        "type": "ImmutableAccessScope",
        "fullScope": "sso:account:access",
        "status": "INITIAL"
      }
    ]
  },
  "containsOnlySsoScopes": true,
  "isExpired": false
}

[vladistan]

Getting the same error here

Here is the stack dump

2023-06-14 17:47:55,148 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
File "/opt/homebrew/Cellar/awscli/2.11.27/libexec/lib/python3.11/site-packages/awscli/clidriver.py", line 460, in main
return command_table[parsed_args.command](remaining, parsed_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.11.27/libexec/lib/python3.11/site-packages/awscli/customizations/commands.py", line 151, in call
return self._subcommand_table[subcommand_name](
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.11.27/libexec/lib/python3.11/site-packages/awscli/customizations/commands.py", line 205, in call
rc = self._run_main(parsed_args, parsed_globals)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.11.27/libexec/lib/python3.11/site-packages/awscli/customizations/configure/sso.py", line 516, in _run_main
sso_token = self._sso_login(
^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.11.27/libexec/lib/python3.11/site-packages/awscli/customizations/sso/utils.py", line 72, in do_sso_login
return token_fetcher.fetch_token(
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.11.27/libexec/lib/python3.11/site-packages/awscli/botocore/utils.py", line 3052, in fetch_token
return self._token(
^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.11.27/libexec/lib/python3.11/site-packages/awscli/botocore/utils.py", line 3037, in _token
token = self._poll_for_token(
^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.11.27/libexec/lib/python3.11/site-packages/awscli/botocore/utils.py", line 2952, in _poll_for_token
authorization = self._authorize_client(start_url, registration)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.11.27/libexec/lib/python3.11/site-packages/awscli/botocore/utils.py", line 2929, in _authorize_client
response = self._client.start_device_authorization(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.11.27/libexec/lib/python3.11/site-packages/awscli/botocore/client.py", line 341, in _api_call
return self._make_api_call(operation_name, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/awscli/2.11.27/libexec/lib/python3.11/site-packages/awscli/botocore/client.py", line 697, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.InvalidRequestException: An error occurred (InvalidRequestException) when calling the StartDeviceAuthorization operation:

[cameron-bam]

For anyone else who runs into this problem, I was able to resolve the issue by removing all files in ~/.aws/sso/cache. You may need to clear ~/.aws/config as well, but I didn't test enough to confirm.

[tungnv87]

Thanks @cameron-bam - clear caches & remove config file is work for me

[FabioRodrigues]

thx @cameron-bam!

[gclabbe-circuit]

I did have to kill the config file and re-run

aws configure sso