Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Should not be able to access expired SSO cached sessions #6724

Closed
juanitosvq opened this issue Feb 15, 2022 · 5 comments
Closed

Should not be able to access expired SSO cached sessions #6724

juanitosvq opened this issue Feb 15, 2022 · 5 comments
Assignees
Labels
guidance Question that needs advice or information. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. sso

Comments

@juanitosvq
Copy link

Confirm by changing [ ] to [x] below to ensure that it's a bug:

Describe the bug
I am using AWS SSO to login into my profiles. After I log in into one of my profiles e.g. aws sso login --profile eio-build, I am subsequently able to access other profiles that are cached in the ./aws/cli/cache folder, even after they have expired and before I have logged in into them again.
I wouldn't expect this to be the expected behaviour, but I may be wrong?

SDK version number

aws-cli/2.4.18 Python/3.8.8 Linux/5.4.0-99-generic exe/x86_64.ubuntu.20 prompt/off

Platform/OS/Hardware/Device
Ubuntu 20.04.3 LTS

To Reproduce (observed behavior)

  1. Login into an existing profile e.g. eio-build
aws sso login --profile eio-build
  1. Check the .aws/cli/cache folder:
~/.aws/cli$ ll cache/
total 48
drwxr-xr-x 2 jc jc 4096 Feb  1 19:17 ./
drwxr-xr-x 3 jc jc 4096 Jul 17  2019 ../
-rw------- 1 jc jc 1104 Dec 21 12:25 cd3dc7f4c1e47156c8fdba8ccc64965da6e5c01d.json
  1. Try to invoke the AWS CLI with a different profile.
aws s3 ls --profile eio-dev-admin --debug

Results are returned succesfully, even though I wasn't logged in.
4. Check the .aws/cli/cache folder again to see that the file for eio-dev-admin has been updated:

~/.aws/cli$ ll cache/
total 48
drwxr-xr-x 2 jc jc 4096 Feb  1 19:17 ./
drwxr-xr-x 3 jc jc 4096 Jul 17  2019 ../
-rw------- 1 jc jc 1116 Feb 15 09:09 cd3dc7f4c1e47156c8fdba8ccc64965da6e5c01d.json

Expected behavior
I shouldn't be able to access SSO profiles that I haven't logged in for, even if they've been cached in the cli cache.

Logs/output

~/.aws/cli$ aws s3 ls --profile eio-dev-admin --debug
2022-02-15 09:09:56,242 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.4.18 Python/3.8.8 Linux/5.4.0-99-generic exe/x86_64.ubuntu.20
2022-02-15 09:09:56,242 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['s3', 'ls', '--profile', 'eio-dev-admin', '--debug']
2022-02-15 09:09:56,252 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_s3 at 0x7f00bd9b0e50>
2022-02-15 09:09:56,252 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_ddb at 0x7f00bdb088b0>
2022-02-15 09:09:56,252 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.configure.configure.ConfigureCommand'>>
2022-02-15 09:09:56,252 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x7f00bdbae280>
2022-02-15 09:09:56,252 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x7f00bdbb70d0>
2022-02-15 09:09:56,252 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function alias_opsworks_cm at 0x7f00bd9c38b0>
2022-02-15 09:09:56,252 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_history_commands at 0x7f00bdad2700>
2022-02-15 09:09:56,252 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.devcommands.CLIDevCommand'>>
2022-02-15 09:09:56,252 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_waiters at 0x7f00bd9baaf0>
2022-02-15 09:09:56,252 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.4.18/dist/awscli/data/cli.json
2022-02-15 09:09:56,255 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_types at 0x7f00bda85940>
2022-02-15 09:09:56,255 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function no_sign_request at 0x7f00bda864c0>
2022-02-15 09:09:56,255 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_verify_ssl at 0x7f00bda86430>
2022-02-15 09:09:56,255 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_read_timeout at 0x7f00bda865e0>
2022-02-15 09:09:56,256 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_connect_timeout at 0x7f00bda86550>
2022-02-15 09:09:56,256 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <built-in method update of dict object at 0x7f00bd8e05c0>
2022-02-15 09:09:56,256 - MainThread - botocore.session - DEBUG - Setting config variable for profile to 'eio-dev-admin'
2022-02-15 09:09:56,256 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.4.18 Python/3.8.8 Linux/5.4.0-99-generic exe/x86_64.ubuntu.20 prompt/off
2022-02-15 09:09:56,256 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['s3', 'ls', '--profile', 'eio-dev-admin', '--debug']
2022-02-15 09:09:56,256 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x7f00bd9b24c0>
2022-02-15 09:09:56,256 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x7f00be3f65e0>
2022-02-15 09:09:56,256 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x7f00bd922dc0>
2022-02-15 09:09:56,257 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x7f00be3f2940>
2022-02-15 09:09:56,257 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x7f00be35d1f0>
2022-02-15 09:09:56,257 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2022-02-15 09:09:56,259 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set.
2022-02-15 09:09:56,259 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x7f00bdad25e0>
2022-02-15 09:09:56,259 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x7f00bdb82700>
2022-02-15 09:09:56,259 - MainThread - botocore.hooks - DEBUG - Event building-command-table.s3: calling handler <function add_waiters at 0x7f00bd9baaf0>
2022-02-15 09:09:56,260 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.s3.anonymous: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f00bd0abeb0>
2022-02-15 09:09:56,260 - MainThread - botocore.hooks - DEBUG - Event building-command-table.s3_ls: calling handler <function add_waiters at 0x7f00bd9baaf0>
2022-02-15 09:09:56,260 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.paths: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f00bd0abeb0>
2022-02-15 09:09:56,261 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.anonymous: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f00bd0abeb0>
2022-02-15 09:09:56,261 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.page-size: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f00bd0abeb0>
2022-02-15 09:09:56,261 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.human-readable: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f00bd0abeb0>
2022-02-15 09:09:56,261 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.ls: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f00be39c2e0>
2022-02-15 09:09:56,261 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.summarize: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f00bd0abeb0>
2022-02-15 09:09:56,261 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.ls: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f00be39c2e0>
2022-02-15 09:09:56,261 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.request-payer: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f00bd0abeb0>
2022-02-15 09:09:56,261 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2022-02-15 09:09:56,261 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2022-02-15 09:09:56,262 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2022-02-15 09:09:56,262 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.4.18/dist/awscli/botocore/data/endpoints.json
2022-02-15 09:09:56,274 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x7f00bf7900d0>
2022-02-15 09:09:56,286 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.4.18/dist/awscli/botocore/data/s3/2006-03-01/service-2.json
2022-02-15 09:09:56,294 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_post at 0x7f00bfdc8820>
2022-02-15 09:09:56,294 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_url at 0x7f00bfdc85e0>
2022-02-15 09:09:56,297 - MainThread - botocore.endpoint - DEBUG - Setting s3 timeout as (60, 60)
2022-02-15 09:09:56,309 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.4.18/dist/awscli/botocore/data/s3/2006-03-01/paginators-1.json
2022-02-15 09:09:56,309 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.s3.ListObjectsV2: calling handler <function base64_decode_input_blobs at 0x7f00bd925550>
2022-02-15 09:09:56,309 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.ListObjectsV2: calling handler <function set_list_objects_encoding_type_url at 0x7f00bf7a6670>
2022-02-15 09:09:56,309 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.ListObjectsV2: calling handler <function validate_bucket_name at 0x7f00bf7a73a0>
2022-02-15 09:09:56,310 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.ListObjectsV2: calling handler <bound method S3RegionRedirector.redirect_from_cache of <botocore.utils.S3RegionRedirector object at 0x7f00bcbd1880>>
2022-02-15 09:09:56,310 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.ListObjectsV2: calling handler <bound method S3ArnParamHandler.handle_arn of <botocore.utils.S3ArnParamHandler object at 0x7f00bcbd1940>>
2022-02-15 09:09:56,310 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.ListObjectsV2: calling handler <function generate_idempotent_uuid at 0x7f00bf7a71f0>
2022-02-15 09:09:56,310 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.ListObjectsV2: calling handler <function add_expect_header at 0x7f00bf7a7700>
2022-02-15 09:09:56,310 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.ListObjectsV2: calling handler <bound method S3RegionRedirector.set_request_url of <botocore.utils.S3RegionRedirector object at 0x7f00bcbd1880>>
2022-02-15 09:09:56,310 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.ListObjectsV2: calling handler <function inject_api_version_header_if_needed at 0x7f00bf7a6a60>
2022-02-15 09:09:56,310 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=ListObjectsV2) with params: {'url_path': '/#####?list-type=2', 'query_string': {'prefix': '', 'delimiter': '/', 'encoding-type': 'url'}, 'method': 'GET', 'headers': {'User-Agent': 'aws-cli/2.4.18 Python/3.8.8 Linux/5.4.0-99-generic exe/x86_64.ubuntu.20 prompt/off command/s3.ls'}, 'body': b'', 'url': 'https://s3.us-east-1.amazonaws.com/#######?list-type=2&prefix=&delimiter=%2F&encoding-type=url', 'context': {'client_region': 'us-east-1', 'client_config': <botocore.config.Config object at 0x7f00bcc0dca0>, 'has_streaming_input': False, 'auth_type': None, 'encoding_type_auto_set': True, 'signing': {'bucket': '#####'}}}
2022-02-15 09:09:56,311 - MainThread - botocore.hooks - DEBUG - Event request-created.s3.ListObjectsV2: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7f00bcc0dd90>>
2022-02-15 09:09:56,311 - MainThread - botocore.hooks - DEBUG - Event choose-signer.s3.ListObjectsV2: calling handler <bound method S3EndpointSetter.set_signer of <botocore.utils.S3EndpointSetter object at 0x7f00bcbd19d0>>
2022-02-15 09:09:56,311 - MainThread - botocore.hooks - DEBUG - Event choose-signer.s3.ListObjectsV2: calling handler <function set_operation_specific_signer at 0x7f00bf7a70d0>
2022-02-15 09:09:56,311 - MainThread - botocore.hooks - DEBUG - Event before-sign.s3.ListObjectsV2: calling handler <bound method S3EndpointSetter.set_endpoint of <botocore.utils.S3EndpointSetter object at 0x7f00bcbd19d0>>
2022-02-15 09:09:56,311 - MainThread - botocore.utils - DEBUG - Defaulting to S3 virtual host style addressing with path style addressing fallback.
2022-02-15 09:09:56,311 - MainThread - botocore.utils - DEBUG - Checking for DNS compatible bucket for: https://s3.us-east-1.amazonaws.com/####?list-type=2&prefix=&delimiter=%2F&encoding-type=url
2022-02-15 09:09:56,311 - MainThread - botocore.utils - DEBUG - URI updated to: https://######.s3.us-east-1.amazonaws.com/?list-type=2&prefix=&delimiter=%2F&encoding-type=url
2022-02-15 09:09:56,314 - MainThread - botocore.credentials - DEBUG - Credentials were found in cache, but they are expired.
2022-02-15 09:09:56,315 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x7f00bf7900d0>
2022-02-15 09:09:56,315 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.4.18/dist/awscli/botocore/data/sso/2019-06-10/service-2.json
2022-02-15 09:09:56,315 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.sso: calling handler <function add_generate_presigned_url at 0x7f00bfdc85e0>
2022-02-15 09:09:56,319 - MainThread - botocore.endpoint - DEBUG - Setting portal.sso timeout as (60, 60)
2022-02-15 09:09:56,320 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.sso.GetRoleCredentials: calling handler <function base64_decode_input_blobs at 0x7f00bd925550>
2022-02-15 09:09:56,320 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.sso.GetRoleCredentials: calling handler <function generate_idempotent_uuid at 0x7f00bf7a71f0>
2022-02-15 09:09:56,320 - MainThread - botocore.hooks - DEBUG - Event before-call.sso.GetRoleCredentials: calling handler <function inject_api_version_header_if_needed at 0x7f00bf7a6a60>
2022-02-15 09:09:56,320 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=GetRoleCredentials) with params: {'url_path': '/federation/credentials', 'query_string': {'role_name': 'MyRoleName', 'account_id': '944486121133'}, 'method': 'GET', 'headers': {'x-amz-sso_bearer_token': '##############', 'User-Agent': 'aws-cli/2.4.18 Python/3.8.8 Linux/5.4.0-99-generic exe/x86_64.ubuntu.20 prompt/off command/s3.ls'}, 'body': b'', 'url': 'https://portal.sso.ca-central-1.amazonaws.com/federation/credentials?role_name=MyRoleName&account_id=#########', 'context': {'client_region': 'ca-central-1', 'client_config': <botocore.config.Config object at 0x7f00bcbf2760>, 'has_streaming_input': False, 'auth_type': 'none'}}
2022-02-15 09:09:56,320 - MainThread - botocore.hooks - DEBUG - Event request-created.sso.GetRoleCredentials: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7f00bcbf2730>>
2022-02-15 09:09:56,320 - MainThread - botocore.hooks - DEBUG - Event choose-signer.sso.GetRoleCredentials: calling handler <function set_operation_specific_signer at 0x7f00bf7a70d0>
2022-02-15 09:09:56,320 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=GET, url=https://portal.sso.ca-central-1.amazonaws.com/federation/credentials?role_name=MyRoleName&account_id=#########, headers={'x-amz-sso_bearer_token': b'########', 'User-Agent': b'aws-cli/2.4.18 Python/3.8.8 Linux/5.4.0-99-generic exe/x86_64.ubuntu.20 prompt/off command/s3.ls'}>
2022-02-15 09:09:56,321 - MainThread - botocore.httpsession - DEBUG - Certificate path: /usr/local/aws-cli/v2/2.4.18/dist/awscli/botocore/cacert.pem
2022-02-15 09:09:56,321 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): portal.sso.ca-central-1.amazonaws.com:443
2022-02-15 09:09:56,654 - MainThread - urllib3.connectionpool - DEBUG - https://portal.sso.ca-central-1.amazonaws.com:443 "GET /federation/credentials?role_name=MyRoleName&account_id=####### HTTP/1.1" 200 1080
2022-02-15 09:09:56,656 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Tue, 15 Feb 2022 14:09:56 GMT', 'Content-Type': 'application/json', 'Content-Length': '1080', 'Connection': 'keep-alive', 'Access-Control-Expose-Headers': 'RequestId', 'Cache-Control': 'no-cache', 'RequestId': '#####', 'Server': 'AWS SSO'}
2022-02-15 09:09:56,656 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"roleCredentials":{"accessKeyId":"####REDACTED######","secretAccessKey":"######REDACTED########","expiration":1644937795000}}'
2022-02-15 09:09:56,657 - MainThread - botocore.hooks - DEBUG - Event needs-retry.sso.GetRoleCredentials: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x7f00bcb4f220>>
2022-02-15 09:09:56,657 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2022-02-15 09:09:56,658 - MainThread - botocore.hooks - DEBUG - Event after-call.sso.GetRoleCredentials: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x7f00bcbf2d60>>
2022-02-15 09:09:56,666 - MainThread - botocore.credentials - DEBUG - Retrieved credentials will expire at: 2022-02-15 15:09:55+00:00
2022-02-15 09:09:56,667 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth.
2022-02-15 09:09:56,668 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
GET
/
delimiter=%2F&encoding-type=url&list-type=2&prefix=
host:######.s3.us-east-1.amazonaws.com
x-amz-content-sha256:############
x-amz-date:20220215T140956Z
x-amz-security-token:REDACTED

host;x-amz-content-sha256;x-amz-date;x-amz-security-token
#######################################
2022-02-15 09:09:56,668 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20220215T140956Z
20220215/us-east-1/s3/aws4_request
###########
2022-02-15 09:09:56,668 - MainThread - botocore.auth - DEBUG - Signature:
###############
2022-02-15 09:09:56,669 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=GET, url=https://#######.s3.us-east-1.amazonaws.com/?list-type=2&prefix=&delimiter=%2F&encoding-type=url, headers={'User-Agent': b'aws-cli/2.4.18 Python/3.8.8 Linux/5.4.0-99-generic exe/x86_64.ubuntu.20 prompt/off command/s3.ls', 'X-Amz-Date': b'20220215T140956Z', 'X-Amz-Security-Token': b'REDACTED', 'X-Amz-Content-SHA256': b'#######################################', 'Authorization': b'AWS4-HMAC-SHA256 Credential=####################/20220215/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=##################################'}>
2022-02-15 09:09:56,670 - MainThread - botocore.httpsession - DEBUG - Certificate path: /usr/local/aws-cli/v2/2.4.18/dist/awscli/botocore/cacert.pem
2022-02-15 09:09:56,671 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): ######.s3.us-east-1.amazonaws.com:443
2022-02-15 09:09:56,952 - MainThread - urllib3.connectionpool - DEBUG - https://#####.s3.us-east-1.amazonaws.com:443 "GET /?list-type=2&prefix=&delimiter=%2F&encoding-type=url HTTP/1.1" 200 None
2022-02-15 09:09:56,954 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amz-id-2': '####################', 'x-amz-request-id': '############', 'Date': 'Tue, 15 Feb 2022 14:09:57 GMT', 'x-amz-bucket-region': 'us-east-1', 'Content-Type': 'application/xml', 'Transfer-Encoding': 'chunked', 'Server': 'AmazonS3'}
2022-02-15 09:09:56,954 - MainThread - botocore.parsers - DEBUG - Response body:
b'<?xml version="1.0" encoding="UTF-8"?>\n<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Name>######</Name><Prefix></Prefix><KeyCount>2</KeyCount><MaxKeys>1000</MaxKeys><Delimiter>/</Delimiter><EncodingType>url</EncodingType><IsTruncated>false</IsTruncated><CommonPrefixes>######</CommonPrefixes></ListBucketResult>'
2022-02-15 09:09:56,955 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.ListObjectsV2: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x7f00bcbd1820>>
2022-02-15 09:09:56,956 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2022-02-15 09:09:56,956 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.ListObjectsV2: calling handler <bound method S3RegionRedirector.redirect_from_error of <botocore.utils.S3RegionRedirector object at 0x7f00bcbd1880>>
2022-02-15 09:09:56,956 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.ListObjectsV2: calling handler <function decode_list_object_v2 at 0x7f00bf7a6790>
2022-02-15 09:09:56,957 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.ListObjectsV2: calling handler <function enhance_error_msg at 0x7f00bd9b20d0>
2022-02-15 09:09:56,957 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.ListObjectsV2: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x7f00bcbd1430>>
@juanitosvq juanitosvq added the needs-triage This issue or PR still needs to be triaged. label Feb 15, 2022
@juanitosvq juanitosvq changed the title Able to access expired SSO login sessions Should not be able to access expired SSO cached sessions Feb 15, 2022
@tim-finnigan tim-finnigan self-assigned this Feb 16, 2022
@tim-finnigan tim-finnigan added sso guidance Question that needs advice or information. investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Feb 16, 2022
@tim-finnigan
Copy link
Contributor

Hi @juanitosvq thanks for reaching out. Looking at your debug log it says:

botocore.credentials - DEBUG - Credentials were found in cache, but they are expired.

So it does acknowledge that your cache credentials are expired. Then it proceeds to call GetRoleCredentials, which “Returns the STS short-term credentials for a given role name that is assigned to the user.”

This documentation from the User Guide helps give more context on CLI/SSO behavior: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html.

@tim-finnigan tim-finnigan added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Feb 16, 2022
@juanitosvq
Copy link
Author

juanitosvq commented Feb 16, 2022

Hi @tim-finnigan thanks for the response.

I went through that link you provided and I still don't understand the behaviour I am seeing.

As long as you signed in to AWS SSO and those cached credentials are not expired, the AWS CLI automatically renews expired AWS temporary credentials when needed. However, if your AWS SSO credentials expire, you must explicitly renew them by logging in to your AWS SSO account again.

In my case, my credentials seem to get renewed for a profile that hasn't been enabled. My understanding is that when I run the step 3 in my reproduction steps:

  1. Try to invoke the AWS CLI with a different profile.
    I shouldn't see a successful response since that profile hasn't been enabled, and instead I should explicitly renew the credentials for it.

I just tried these steps:

~/.aws/cli/cache$ aws sso logout --profile eio-prod
~/.aws/cli/cache$ aws sso logout --profile eio-dev
~/.aws/cli/cache$ aws s3 ls --profile eio-prod

Error loading SSO Token: The SSO access token has either expired or is otherwise invalid.

~/.aws/cli/cache$ aws s3 ls --profile eio-dev

Error loading SSO Token: The SSO access token has either expired or is otherwise invalid.

~/.aws/cli/cache$ aws sso login --profile eio-dev
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.ca-central-1.amazonaws.com/

Then enter the code:

####-####
Successully logged into Start URL: https://xxxx.awsapps.com/start#/

~/.aws/cli/cache$ aws s3 ls --profile eio-dev
2021-03-30 14:21:00 bucket-in-eio-dev

~/.aws/cli/cache$ aws s3 ls --profile eio-prod
2021-12-14 15:12:46 bucket-in-eio-prod
# I wouldn't expect to get a successful response here, since the profile eio-prod hasn't been enabled before.

I feel like I am missing something fundamental here, but I don't see this behaviour described in the documentation. Apologies if it's something very obvious!

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Feb 16, 2022
@tim-finnigan
Copy link
Contributor

Hi @juanitosvq thanks for following up. I think the relevant section of the documentation linked above is:

You can create multiple AWS SSO enabled named profiles that each point to a different AWS account or role. You can also use the aws sso login command on more than one profile at a time. If any of them share the same AWS SSO user account, you must log in to that AWS SSO user account only once and then they all share a single set of AWS SSO cached credentials.

So what's likely happening is that there are not separate cached files for each profile but it's shared per the start_url.

There was a lengthy discussion on this topic in another issue if you’re interested in diving deeper into it. Specifically this comment may help explain things better:

"Both profiles share the same start URL, so they are both able to use the token for a session with that start URL to get credentials for the role in the profile". You fed this start URL to aws sso login by telling it one of the profiles that has the start URL, but the login, and the token, is "for" the start URL, not for the profile.

@tim-finnigan tim-finnigan added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Feb 17, 2022
@juanitosvq
Copy link
Author

Hi @tim-finnigan thanks for the quick response. Yeah, that was very helpful. This comment also helped:

The entire purpose of AWS SSO is that the aws sso login call only needs to happen once, for any profiles with the same start URL. I am fully onboard with the fact that it is confusing that the input to aws sso login is a profile, because it appears to indicate that aws sso login should be called once for each profile that is being used, but this is not the case.

That's where my confusion also came from: the fact that you have to specify a profile to login, but actually you have access to all the profiles with the same start URL.

I will close this now, thanks!

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
guidance Question that needs advice or information. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. sso
Projects
None yet
Development

No branches or pull requests

2 participants