Unable to use temporary security credentials

[DewaldDeJager]

Description

I am unable to use the CLI with a profile with temporary security credentials. I am using AWS SSO with an external identity provider. In the ~/.aws/config file I have:

[profile sandbox]
sso_session = example
sso_account_id = <redacted>
sso_role_name = AdministratorAccess
region = af-south-1

[sso-session example]
sso_region = af-south-1
sso_start_url = https://xxxx.awsapps.com/start

After running aws --profile sandbox sso login temporary credentials are added to the ~/.aws/credentials file:

[sandbox]
region=af-south-1
aws_access_key_id=<redacted>
aws_secret_access_key=<redacted>
aws_session_token=<redacted>

And then to confirm it is working I run:

export AWS_PROFILE=sandbox
aws sts get-caller-identity

Which works as expected:

{
    "UserId": "XXXXXXXX:[email protected]",
    "Account": "XXXXXXXXXX",
    "Arn": "arn:aws:sts::XXXXXXXXXX:assumed-role/AWSReservedSSO_AdministratorAccess_XXXXXXXX/[email protected]"
}

Expected Behaviour

When running copilot init --app my-app I should get this output:

Welcome to the Copilot CLI! We're going to walk you through some questions
to help you get set up with a containerized application on AWS. An application is a collection of
containerized services that operate together.

  Which workload type best represents your architecture?  [Use arrows to move, type to filter, ? for more help]
  > Request-Driven Web Service  (App Runner)
    Load Balanced Web Service   (Internet to ECS on Fargate)
    Backend Service             (ECS on Fargate)
    Worker Service              (Events to SQS to ECS on Fargate)
    Static Site                 (Internet to CDN to S3 bucket)
    Scheduled Job               (Scheduled event to State Machine to Fargate)
✘ select workload type:

Actual Behaviour

When running copilot init --app my-app I get this error:

Welcome to the Copilot CLI! We're going to walk you through some questions
to help you get set up with a containerized application on AWS. An application is a collection of
containerized services that operate together.

✘ get application bank-of-sirius: get application bank-of-sirius: ExpiredTokenException: The security token included in the request is expired
	status code: 400, request id: 3a02abc6-4d35-4168-8230-6eb2e2825e8a

Additional Information

I have tried using the default profile instead of the named profile sandbox but the behaviour was the same. The only way I could get it to work was by creating an IAM user in that account and generating access keys. This is not as secure as using temporary credentials.

OS: macOS Ventura (13.3.1)
Copilot CLI: v1.28.0
AWS CLI: aws-cli/2.11.25 Python/3.11.3 Darwin/22.4.0 exe/x86_64 prompt/off

[bvtujo]

Hey @DewaldDeJager, I'm not able to replicate this issue. Here's what I did to create a new app:

1. Enable AWS organizations in my account
2. Create a user and attach administratoraccess permissions to it
3. run aws configure sso --profile sso and paste in the appropriate start url and grant code.
4. run aws sso login
5. run AWS_PROFILE=sso AWS_REGION=us-west-2 copilot app init

The initialization completed successfully for me. Is there a chance that the sso session lifespan is set to a low number and the credential was expired? I'm not sure what would be different between our setups. perhaps the administratoraccess role, but that wouldn't explain an expired session token error.

[normand1]

I think I'm running into this same issue. AWS SSO was working fine for me yesterday until I upgraded Copilot and the AWS CLI. Here are my current versions:
copilot version: v1.28.0
aws-cli/2.11.26 Python/3.11.3 Darwin/22.5.0 exe/x86_64 prompt/off

I can use the aws CLI fine still to access services, but I always get this error from copilot no matter how many times I aws sso login or clear my cache at ~/.aws/sso/

✘ default session: SSOProviderInvalidToken: the SSO session has expired or is invalid
caused by: open /Users/davidnorman/.aws/sso/cache/9250a2bf6649af30d49c2228ba32e5645493fff3.json: no such file or directory

[bvtujo]

Here's the SSO setup that worked for me with v1.28.0

[profile sso]
sso_start_url = https://d-XXXXXXXX.awsapps.com/start
sso_region = eu-central-1
sso_account_id = 8XXXXXXXXXX1
sso_role_name = AdministratorAccess
region = us-west-2
output = json

I've been prefixing my copilot commands with AWS_PROFILE=sso but it shouldn't matter how you set the profile for the SDK to grab it. I wonder if there's a problem in the newest SDK which is causing this. I'll look into it.

[normand1]

Thanks! I'll give that a shot today

[normand1]

Still no luck for me, I can generate new SSO Tokens fine, but Copilot seems to only want to use this file that doesn't exist any more...

$ copilot svc ls                 
✘ default session: SSOProviderInvalidToken: the SSO session has expired or is invalid
caused by: open /Users/davidnorman/.aws/sso/cache/9250a2bf6649af30d49c2228ba32e5645493fff3.json: no such file or directory

ls -a '/Users/davidnorman/.aws/sso/cache'
.                                             68509bf6d0a782443e95ebad5f8ad29af6db4468.json
..                                            d22881f3f2df783d73dd2d20fee99f3b3e2cda32.json

[bvtujo]

Hmm, This is quite annoying. It worked for me with aws-cli version aws-cli/2.11.26 Python/3.11.3 Darwin/21.6.0 exe/x86_64 prompt/off from the latest installer today. I ran into the invalid cache problem after running sso logout and attempting to run a Copilot command, but it was resolved for me by doing aws sso login and then re-running the copilot command.

[bvtujo]

❯ AWS_PROFILE=sso aws sso logout
❯ AWS_PROFILE=sso AWS_REGION=eu-central-1 copilot app ls
✘ default session: SSOProviderInvalidToken: the SSO session has expired or is invalid
caused by: open /Users/austiely/.aws/sso/cache/a1e827e07513a513385d3f7842bb586168902311.json: no such file or directory
❯ AWS_PROFILE=sso AWS_REGION=eu-central-1 aws sso login
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.eu-central-1.amazonaws.com/

Then enter the code:

XXXX-XXXX
Successfully logged into Start URL: https://d-XXXXXXXXXX.awsapps.com/start
❯ AWS_PROFILE=sso AWS_REGION=eu-central-1 copilot app ls
copilot-playground
sso

[bvtujo]

@DewaldDeJager @normand1 You might also be getting hit by this confusion with new vs old SSO sessions, summarized in this reddit post.

Basically you may have to configure a "legacy" SSO profile since Copilot is still using the aws-sdk-go v1, which doesn't support new-style SSO sessions yet. That may be what's happening here.

related to #4359

[normand1]

Looks like my issue has been resolved at least, might have just needed for something in the cache to expire. I definitely haven't done anything I would have expected to fix it, but it's working now.
Thanks for the suggestion for the legacy sso profile setup. Definitely keeping that in my bookmarks if this happens again!

[dannyrandall]

Closing as aws-sdk-go v1 recently updated to support the new SSO sessions, and was released in Copilot v1.29. Let us know if there are still any issues!