Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Valid SSO credentials aren't accepted by client #2934

Open
micah-press opened this issue Mar 1, 2023 · 7 comments
Open

Valid SSO credentials aren't accepted by client #2934

micah-press opened this issue Mar 1, 2023 · 7 comments
Assignees
@debora-ito
Labels
bug This issue is a bug. p2 This is a standard priority issue

Comments

@micah-press
Copy link

Describe the bug

I'm attempting to use the v1 and v2 Java AWS SDKs side by side. I'd like to support loading SSO credentials and use them to initialize v1 client objects. When I try to do this with a client (S3 in this case), I get an exception:

com.amazonaws.services.s3.model.AmazonS3Exception: The AWS Access Key Id you provided does not exist in our records. (Service: Amazon S3; Status Code: 403; Error Code: InvalidAccessKeyId; Request ID: <omitted>; S3 Extended Request ID: <omitted>; Proxy: null), S3 Extended Request ID: <omitted>

However, if I set up a profile using the Access Key, Secret Key, and Session Token generated from the SSO credentials, I'm able to authenticate successfully through the AWS CLI.

Expected Behavior

If I can generate a valid Access Key and Secret Key from a set of credentials, I should be able to initialize a client and make calls with it.

Current Behavior

The client rejects the Access Key ID, saying it doesn't exist on the backend.

Reproduction Steps

I've got an SSCCE at https://github.com/micah-press/aws-sdk-sscce.

Possible Solution

No response

Additional Information/Context

I wrote some shims/wrappers to implement the v1 credentials and providers interfaces using v2 objects. They're contained in the repo linked above.

AWS Java SDK version used

1.12.332 and 2.20.12

JDK version used

openjdk version "11.0.18" 2023-01-17

Operating System and version

Ubuntu 20.04.5 LTS
@micah-press micah-press added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 1, 2023
@debora-ito
Copy link
Member

Hi @micah-press sorry for the delay in response.

Are the SSO credentials set in the default profile? If it is, it's indeed weird that V2ProfileCredentialsProvider is not picking them up.

Can you show the format of your sso credentials in your profile file? Please redact the real values, I'm only interested in the attribute names to see if I can recreate them for my local tests.

@debora-ito debora-ito added response-requested Waiting on additional info or feedback. Will move to "closing-soon" in 5 days. and removed needs-triage This issue or PR still needs to be triaged. labels Apr 5, 2023
@debora-ito debora-ito self-assigned this Apr 5, 2023
@debora-ito debora-ito added the p2 This is a standard priority issue label Apr 5, 2023
@micah-press
Copy link
Author

Are the SSO credentials set in the default profile? If it is, it's indeed weird that V2ProfileCredentialsProvider is not picking them up.

Yep, I've been running aws sso login using the default profile to generate credentials.

Can you show the format of your sso credentials in your profile file? Please redact the real values, I'm only interested in the attribute names to see if I can recreate them for my local tests.

Do you mean my config file or my SSO credentials cache file?

@debora-ito
Copy link
Member

The config file.

@github-actions github-actions bot removed the response-requested Waiting on additional info or feedback. Will move to "closing-soon" in 5 days. label Apr 6, 2023
@debora-ito debora-ito added the response-requested Waiting on additional info or feedback. Will move to "closing-soon" in 5 days. label Apr 7, 2023
@micah-press
Copy link
Author

The config file.

All our profiles look like this:

[<profile name>]
region = ...
output = ...
sso_start_url = ...
sso_region = ...
sso_account_id = ...
sso_role_name = ...

@github-actions github-actions bot removed the response-requested Waiting on additional info or feedback. Will move to "closing-soon" in 5 days. label Apr 11, 2023
@micah-press
Copy link
Author

Any other information I can provide?

@munusamyminnelperumal-rfk
Copy link

Please keep us posted if anyone found a workaround or solution to this.

@micah-press
Copy link
Author

Is there anything else I can help with?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@debora-ito debora-ito

Labels
bug This issue is a bug. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@debora-ito @micah-press @munusamyminnelperumal-rfk