Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO Token Refresh Error using AWS plugin #469

Open
lwheeloc opened this issue Jan 21, 2025 · 0 comments
Open

SSO Token Refresh Error using AWS plugin #469

lwheeloc opened this issue Jan 21, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@lwheeloc
Copy link

lwheeloc commented Jan 21, 2025
edited
Loading

Describe the bug

Error: aws_production: operation error STS: GetCallerIdentity, get identity: get credentials: failed to refresh cached credentials, 
refresh cached SSO token failed, unable to refresh SSO token, operation error SSO OIDC: CreateToken, 
https response error StatusCode: 400, RequestID: 06215636-0fb1-4274-8a2c-3c15cf2ea18a, InvalidGrantException:  (SQLSTATE HV000)

When querying a profile that uses SSO authentication, the above error is generated. If the authentication type is changed to access keys, the query is successful.

There are no errors when using the AWS CLI to fetch requests such as aws sts get-caller-identity --profile aws_production which successfully returns the user identity, account, and arn.

Steampipe version (steampipe -v)
v1.0.1 & v1.0.2

Plugin version (steampipe plugin list)
aws@latest 1.5.0
steampipe@latest 1.0.0

To reproduce

It does not matter if there is a default credential or if you specify the profile. Either way the same error is returned whenever using an SSO login profile.

~> aws sso login                                                                                                                   
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://<orgstart>.awsapps.com/start/#/device

Then enter the code:

ZXXX-XXXX
Successfully logged into Start URL: https://<org>.awsapps.com/start/#

Followed by:

~> steampipe query "select organization_id from aws_account;"

Error: aws_production: operation error STS: GetCallerIdentity, get identity: get credentials: failed to refresh cached credentials, refresh cached SSO token failed, unable to refresh SSO token, operation error SSO OIDC: CreateToken, https response error StatusCode: 400, RequestID: a540a15e-****-****-****-05794afc4041, InvalidGrantException:  (SQLSTATE HV000)

+-----------------+
| organization_id |
+-----------------+
+-----------------+`

Additional context

aws.spc

connection "aws_production" {
  plugin = "aws"
  profile = "aws_production"
  regions=["us-west-2"]
}

*** credentials ***

[MySSO]
sso_start_url = https://<org>.awsapps.com/start/#
sso_account_id = **********983
sso_region = us-west-2
sso_role_name = Audit_ReadOnly
sso_registration_scopes = sso:account:access

[aws_production]
sso_session = MySSO
sso_role_name = Audit_ReadOnly
sso_account_id = *********324
region = us-west-2
@lwheeloc lwheeloc added the bug Something isn't working label Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lwheeloc