-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should not be able to access expired SSO cached sessions #6724
Comments
Hi @juanitosvq thanks for reaching out. Looking at your debug log it says:
So it does acknowledge that your cache credentials are expired. Then it proceeds to call GetRoleCredentials, which “Returns the STS short-term credentials for a given role name that is assigned to the user.” This documentation from the User Guide helps give more context on CLI/SSO behavior: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html. |
Hi @tim-finnigan thanks for the response. I went through that link you provided and I still don't understand the behaviour I am seeing.
In my case, my credentials seem to get renewed for a profile that hasn't been enabled. My understanding is that when I run the step 3 in my reproduction steps:
I just tried these steps:
I feel like I am missing something fundamental here, but I don't see this behaviour described in the documentation. Apologies if it's something very obvious! |
Hi @juanitosvq thanks for following up. I think the relevant section of the documentation linked above is:
So what's likely happening is that there are not separate cached files for each profile but it's shared per the There was a lengthy discussion on this topic in another issue if you’re interested in diving deeper into it. Specifically this comment may help explain things better:
|
Hi @tim-finnigan thanks for the quick response. Yeah, that was very helpful. This comment also helped:
That's where my confusion also came from: the fact that you have to specify a profile to login, but actually you have access to all the profiles with the same start URL. I will close this now, thanks! |
|
Confirm by changing [ ] to [x] below to ensure that it's a bug:
Describe the bug
I am using AWS SSO to login into my profiles. After I log in into one of my profiles e.g.
aws sso login --profile eio-build
, I am subsequently able to access other profiles that are cached in the./aws/cli/cache
folder, even after they have expired and before I have logged in into them again.I wouldn't expect this to be the expected behaviour, but I may be wrong?
SDK version number
Platform/OS/Hardware/Device
Ubuntu 20.04.3 LTS
To Reproduce (observed behavior)
eio-build
.aws/cli/cache
folder:Results are returned succesfully, even though I wasn't logged in.
4. Check the
.aws/cli/cache
folder again to see that the file foreio-dev-admin
has been updated:Expected behavior
I shouldn't be able to access SSO profiles that I haven't logged in for, even if they've been cached in the cli cache.
Logs/output
The text was updated successfully, but these errors were encountered: