AWS SDK is unable to fetch AWS credentials from AWS IAM Identity Center if the Identity Center access token for an SSO session expiry time is between 5 and 15 minutes from now

[sjakthol]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

When using AWS IAM Identity Center based profile with the sso_session option, aws-sdk-js-v3 fails to resolve AWS credentials if the AWS IAM Identity Center SSO session access token expires between 5 and 15 minutes from now.

SDK version number

@aws-sdk/credential-provider-sso@3.347.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v18.16.0

Reproduction Steps

1. Create file called config with following content (fill in your AWS IAM Identity Center details):

[sso-session mysso]
sso_start_url = https://mysso.awsapps.com/start
sso_region = eu-west-1

[profile profile-1]
sso_session = mysso
sso_account_id = 000000000000
sso_role_name = MyRole

2. Login to AWS IAM Identity Center: aws sso login --session-name mysso
3. Create file called index.js with following content:

import {GetCallerIdentityCommand, STSClient} from "@aws-sdk/client-sts"

const client = new STSClient({});
const cmd = new GetCallerIdentityCommand({})
console.log(await client.send(cmd))

4. Execute following command in a loop for 1 hour (seems to be the expiry time for AWS IAM Identity Center tokens)

env AWS_CONFIG_FILE=./config AWS_REGION=eu-west-1 AWS_PROFILE=profile-1 node index.js

Alternatively, you may manually set the expiresAt field value to ~15 minutes from now in token cache files in ~/.aws/sso/cache/ folder to simulate a token that is about to expire in 15 minutes from now without having to wait full hour to get there.

Observed Behavior

When AWS IAM Identity Center access token expiry time is > 15 minutes from now, AWS SDK is able to fetch AWS credentials from AWS IAM Identity Center with the valid access token.

When AWS IAM Identity Center access token expiry time is < 15 minutes but > 5 minutes from now, AWS SDK rejects the access token as expired and prompts the user to refresh it manually (all AWS API calls fail during this time):

/sdkbug/node_modules/@aws-sdk/credential-provider-sso/dist-cjs/resolveSSOCredentials.js:34
        throw new property_provider_1.CredentialsProviderError(`The SSO session associated with this profile has expired. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN);
              ^

CredentialsProviderError: The SSO session associated with this profile has expired. To refresh this SSO session run aws sso login with the corresponding profile.
    at resolveSSOCredentials (/sdkbug/node_modules/@aws-sdk/credential-provider-sso/dist-cjs/resolveSSOCredentials.js:34:15)
    at async coalesceProvider (/sdkbug/node_modules/@aws-sdk/property-provider/dist-cjs/memoize.js:14:24)
    at async SignatureV4.credentialProvider (/sdkbug/node_modules/@aws-sdk/property-provider/dist-cjs/memoize.js:33:24)
    at async SignatureV4.signRequest (/sdkbug/node_modules/@aws-sdk/signature-v4/dist-cjs/SignatureV4.js:87:29)
    at async /sdkbug/node_modules/@aws-sdk/middleware-signing/dist-cjs/middleware.js:16:18
    at async /sdkbug/node_modules/@aws-sdk/middleware-retry/dist-cjs/retryMiddleware.js:27:46
    at async /sdkbug/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:7:26
    at async file:///sdkbug/index.js:5:13 {
  tryNextLink: false,
  '$metadata': { attempts: 1, totalRetryDelay: 0 }
}

When AWS IAM Identity Center access token expiry time is < 5 minutes from now, AWS SDK automatically refreshes the token and is able to fetch AWS credentials again using the new token.

Expected Behavior

AWS SDK either accepts the token until it hits the 5 minute mark or refreshes the token automatically already at the 15 minute mark without user intervention.

Possible Solution

Reason for the issue is that the AWS IAM Identity Center token-providers package considers tokens with > 5 minute lifetime as valid and only refreshes them at the 5 minute mark:

aws-sdk-js-v3/packages/token-providers/src/fromSso.ts

Lines 84 to 87 in 7529755

	if (existingToken.expiration!.getTime() - Date.now() > EXPIRE_WINDOW_MS) {
	// Token is valid and not expired.
	return existingToken;
	}

aws-sdk-js-v3/packages/token-providers/src/constants.ts

Line 7 in 7529755

export const EXPIRE_WINDOW_MS = 5 * 60 * 1000;

However, the user of these tokens, the credential-provider-sso package, rejects AWS IAM Identity Center access token if its lifetime is < 15 minutes:

aws-sdk-js-v3/packages/credential-provider-sso/src/resolveSSOCredentials.ts

Lines 55 to 60 in 7529755

	if (new Date(token.expiresAt).getTime() - Date.now() <= EXPIRE_WINDOW_MS) {
	throw new CredentialsProviderError(
	`The SSO session associated with this profile has expired. ${refreshMessage}`,
	SHOULD_FAIL_CREDENTIAL_CHAIN
	);
	}

aws-sdk-js-v3/packages/credential-provider-sso/src/resolveSSOCredentials.ts

Lines 9 to 15 in 7529755

	/**
	* The time window (15 mins) that SDK will treat the SSO token expires in before the defined expiration date in token.
	* This is needed because server side may have invalidated the token before the defined expiration date.
	*
	* @internal
	*/
	const EXPIRE_WINDOW_MS = 15 * 60 * 1000;

Hence, if token is set to expire between 5 and 15 minutes from now, token-providers package considers the tokens to be valid while the credential-provider-sso package considers the tokens to be expired.

Additional Information/Context

No response

[sjakthol]

Proposed a potential fix to this issue at #4812

[spoco2]

Just to confirm that any fix for these issues will also fix the issue where it seems aws-cdk doesn't engage the token refreshing at all? Because aws/aws-cdk#24782 has been said to be tracked by the changes on ☝️. And so I hope that carries over to this too!

[sjakthol]

It's not entirely clear if this is the issue that causes the CDK issue you linked to. Currently CDK uses both SDK v2 and v3 internally and I'm not sure which SDK is used for the credential resolution over there.

However, it's very likely that the CDK problem is caused by either this or aws/aws-sdk-js#4441 depending on which SDK version is used there. I guess we'll see that when fix to this and aws/aws-sdk-js#4441 is merged and released, and CDK is updated to take newer version of SDKs into use.

[kellertk]

This was fixed in the Java SDK by simply removing the 15 minute expiration check from the SSO credential provider: aws/aws-sdk-java-v2#4157. Possibly this is safe to do here as well?

Pull created in #5124, but I will discuss further with the team.

[kellertk]

@sjakthol created a pull as well that addresses this a little differently, in #4812

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.