Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
ProfileCredentialsProvider: SSO "expiresAt" date format mismatch
See original GitHub issueDescribe the bug
I started using the functionality provided from this https://github.com/aws/aws-sdk-java-v2/pull/2118 The SSO profile is unusable due to a date parsing exception.
Expected Behavior
The SSO profile should work successfully.
Current Behavior
The profile is found but the expiresAt timestamp fails to parse due to an inconsistency between the time format the AWS CLI writes to the SSO cache file and what that original PR expects (an ISO date).
sample code:
public static void main(String[] args) {
System.out.println(ProfileCredentialsProvider.builder().profileName("okta").build().resolveCredentials());
}
gets exception:
Exception in thread "main" software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(), EnvironmentVariableCredentialsProvider(), WebIdentityTokenCredentialsProvider(), ProfileCredentialsProvider(profileName=okta, profileFile=ProfileFile(profiles=[Profile(name=default, properties=[region, cloudfront, aws_access_key_id, aws_secret_access_key]), Profile(name=okta, properties=[output, sso_region, sso_start_url, sso_role_name, region, sso_account_id])])), ContainerCredentialsProvider(), InstanceProfileCredentialsProvider()]) : [SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., EnvironmentVariableCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., WebIdentityTokenCredentialsProvider(): Either the environment variable AWS_WEB_IDENTITY_TOKEN_FILE or the javaproperty aws.webIdentityTokenFile must be set., ProfileCredentialsProvider(profileName=okta, profileFile=ProfileFile(profiles=[Profile(name=default, properties=[region, cloudfront, aws_access_key_id, aws_secret_access_key]), Profile(name=okta, properties=[output, sso_region, sso_start_url, sso_role_name, region, sso_account_id])])): Text '2020-12-08T03:47:42UTC' could not be parsed at index 19, ContainerCredentialsProvider(): Cannot fetch credentials from container - neither AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set., InstanceProfileCredentialsProvider(): Unable to load credentials from service endpoint.]
at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:98)
at software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain.resolveCredentials(AwsCredentialsProviderChain.java:112)
at software.amazon.awssdk.auth.credentials.internal.LazyAwsCredentialsProvider.resolveCredentials(LazyAwsCredentialsProvider.java:45)
at software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider.resolveCredentials(DefaultCredentialsProvider.java:104)
.....
The relevant failure is: Text '2020-12-08T03:47:42UTC' could not be parsed at index 19.
Upon inspecting the SSO cache in ~/.aws/sso/cache/XXXXXXXXXXXXXXXXXXXXXXXXXXXX.json that does contain "expiresAt": "2020-12-08T03:47:42UTC"
Looking at the feature’s PR it appears to expect expiresAt to look like 2090-01-01T00:00:00Z
Steps to Reproduce
- Create a named SSO profile. I used
oktaas the name in my example. - Use the aws cli to login to sso:
aws sso login --profile okta - Run the Java snippet above which should have that exception.
- Check
~/.aws/sso/cache/*.jsonwhich should have anexpiresAtdate ending withUTCrather than an ISO datetime.
Possible Solution
- The CLI could be patched to emit the proper date format. A quick search of the aws-cli github repo does not show expiresAt, which means it could be coming from an API response prior to being saved to the cached json file. In that case, I suppose the actual AWS API itself could be patched.
- This library could be patched to accept the non-ISO date format: https://github.com/aws/aws-sdk-java-v2/pull/2118/files#diff-a9b47d2dc2bcf8eeb473a9fe78739b970054a2dd0b04e729b0265a047d195571R68 If you want to do this, I can attempt to send off a PR if this is the route the maintainers wish to take.
Context
I want to use the cli to do SSO, and then be able to refer to the profile in when I run my application locally.
Your Environment
- AWS Java SDK version used: 2.15.40
- JDK version used: 11
- Operating System and version: MacOS 10.15.6
- AWS CLI versioning: output of
aws --versionisaws-cli/2.1.7 Python/3.9.0 Darwin/19.6.0 source/x86_64 prompt/off
Issue Analytics
- State:
- Created 3 years ago
- Reactions:5
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@yuzawa-san yes, I was going to check the status of the fix in the CLI, thank you for the follow up.
For anyone who stumbled upon this issue: upgrade the cli to the latest version, the timestamp error should be fixed.
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.