Question 95315 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

boto3 SSO token expired earlier than AWSCLI – Amazon web services

I am facing an issue where my SSO expired earlier when I tried to create a session programmatically using boto3 but NOT my awscli.

python version: 3.8.12
boto3 version: 1.21.46
awscli version: aws-cli/2.4.27 Python/3.8.8 Darwin/21.6.0 exe/x86_64 prompt/off

Sample boto3 code (boto3-test.py)

import boto3

session = boto3.Session(profile_name='RoleA')
sts = session.client('sts')
print(sts.get_caller_identity())

Steps to reproduce:

  • aws sso login --profile RoleA
  • aws sts get-caller-identity --profile RoleA (SUCCESS)
  • python boto3-test.py. (SUCCESS)
  • WAIT AFTER 1 HOUR ……
  • aws sts get-caller-identity --profile RoleA (SUCCESS)
  • python boto3-test.py (FAIL)

I have check ~/.aws/sso/cache and ~/.aws/cli/cache the expiresAt and Expiration in both cache file is still valid. I am expecting boto3 to discover the token cache the same way as the awscli, but it seems not. Any clue why both are not in sync ?

Error from boto3-test.py

Traceback (most recent call last):                                                                                                                    
  File "/Users/tester/venv/lib/python3.8/site-packages/botocore/credentials.py", line 2056, in _get_credentials                                
    response = client.get_role_credentials(**kwargs)                                                                                                  
  File "/Users/tester/venv/lib/python3.8/site-packages/botocore/client.py", line 415, in _api_call                                             
    return self._make_api_call(operation_name, kwargs)                                                                                                
  File "/Users/tester/venv/lib/python3.8/site-packages/botocore/client.py", line 745, in _make_api_call                                        
    raise error_class(parsed_response, operation_name)                                                                                                
botocore.errorfactory.UnauthorizedException: An error occurred (UnauthorizedException) when calling the GetRoleCredentials operation: Session token no
t found or invalid                                                                                                                                    
                                                                                                                                                      
During handling of the above exception, another exception occurred:                                                                                   
                                                                                                                                                      
Traceback (most recent call last):                                                                                                                    
  File "<stdin>", line 1, in <module>                                                                                                                 
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/client.py", line 415, in _api_call                                             
    return self._make_api_call(operation_name, kwargs)                                                                                                
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/client.py", line 731, in _make_api_call                                        
    http, parsed_response = self._make_request(                                                                                                       
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/client.py", line 751, in _make_request                                         
    return self._endpoint.make_request(operation_model, request_dict)                                                                                 
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/endpoint.py", line 107, in make_request                                        
    return self._send_request(request_dict, operation_model)
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/endpoint.py", line 180, in _send_request
    request = self.create_request(request_dict, operation_model)
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/endpoint.py", line 120, in create_request
    self._event_emitter.emit(event_name, request=request,
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/hooks.py", line 358, in emit
    return self._emitter.emit(aliased_event_name, **kwargs)
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/hooks.py", line 229, in emit
    return self._emit(event_name, kwargs)
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/hooks.py", line 212, in _emit
    response = handler(**kwargs)
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/signers.py", line 95, in handler
    return self.sign(operation_name, request)
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/signers.py", line 159, in sign
    auth = self.get_auth_instance(**kwargs)
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/signers.py", line 239, in get_auth_instance
    frozen_credentials = self._credentials.get_frozen_credentials()
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/credentials.py", line 632, in get_frozen_credentials
    self._refresh()
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/credentials.py", line 527, in _refresh
    self._protected_refresh(is_mandatory=is_mandatory_refresh)
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/credentials.py", line 543, in _protected_refresh
    metadata = self._refresh_using()
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/credentials.py", line 684, in fetch_credentials
    return self._get_cached_credentials()
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/credentials.py", line 694, in _get_cached_credentials
    response = self._get_credentials()
  File "/Users/tesster/venv/lib/python3.8/site-packages/botocore/credentials.py", line 2058, in _get_credentials
    raise UnauthorizedSSOTokenError()
botocore.exceptions.UnauthorizedSSOTokenError: The SSO session associated with this profile has expired or is otherwise invalid. To refresh this SSO session run aws sso login with the corresponding profile.
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    To all, not sure what the issue is, but I resolve it by removing ~/.aws/sso and ~/.aws/cli entirely and letting it recreate again. I have also upgraded boto3 to version 1.24.90.

    Things just work by themselves after that.


  2. 0

    From time to time the command aws sso login does not renew the sso session.
    I think it’s a bug in the aws cli.

    Workaround
    You can force a renewal by logging out of your AWS console browser session and sign in again.

    1. In your browser go to your aws sso login page
    2. On the top right click Sign out
    3. Then click the Sign in button
    4. execute the command aws sso login to get a new session

    Everything should be fine now.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search