[v2] Role chaining with AWS SSO does not cache intermediate credentials

[nmiekley]

Describe the bug

• We use aws sso login to authenticate for role A and then assume role B.
• We work with role A and role B.
• After some time, we have to re-login to use role B, while we can still use role A.

Expected Behavior

We only have to re-login with AWS SSO after the session with role A is expired.

Current Behavior

• We login using aws sso login --profile roleA. The access token for AWS SSO are stored in ~/.aws/sso/cache/RANDOM.json.
• When we work with role A or role B, the corresponding access keys are obtained and stored in ~/.aws/cli/cache/RANDOM.json.
• After the access keys for role B expire, the aws-cli seems to retrieve new credentials using the access token.
• If the access token is expired, we cannot obtain new access keys for role B, even if the access keys for role A are still valid. The following error is thrown:

Error loading SSO Token: The SSO access token has either expired or is otherwise invalid.

This seems to imply that the aws-cli tries to retrieve new credentials using the access token instead of using the ones cached for role A.

Reproduction Steps

• configure the AWS roles as shown below
• fake an expired access token by deleting it (.aws/cache/cache/RANDOM.json)

~/.aws/config

[profile roleA]
sso_start_url=https://xxxxx.awsapps.com/start
sso_region=eu-central-1
region=eu-central-1
sso_account_id=123456789
sso_role_name=arn:aws:iam::123456789:role/RoleB

 

[profile roleB]
source_profile=roleA
role_arn=arn:aws:iam::123456789:role/RoleB

Possible Solution

• The aws-cli caches the credentials for the intermediate role A if role B is used, even if one does not work with role A directly.
• The assume-role operation uses these cached credentials.

Additional Information/Context

By default, the acess token is valid for 8h. However, if you use you use an external IdP in AWS SSO, your IdP determines how long it is valid, which might be much shorter. Therefore, while solving #6948 would not solve the problem completely.

CLI version used

aws-cli/2.6.3 Python/3.9.11 Linux/5.13.0-41-generic exe/x86_61.ubuntu.20

Environment details (OS name and version, etc.)

Ubuntu

[tim-finnigan]

Thanks @nmiekley for reaching out. It looks like this overlaps to some extent with #6948. Could you explain a bit more what differentiates these two requests?

[nmiekley]

Hi @tim-finnigan!
the proposed solution in #6948 is that aws sso login checks whether your access key for AWS SSO is still valid, before you have to repeat the browser flow. Currently, the stored access token seems to be ignored and overwritten in the process. They have the use case where they have two profiles with the same sso_start_url but different sso_account_id/sso_role_name, so they would like to reuse the access token.

Our setup is that we have one profile using AWS SSO (with role A) and one profile where the role B is assumed by using role A. We would to cache the access keys for role A and reuse them when the access keys for role B are expired (i.e. after 1h).

The session length for role A is 12h (as determined by the permission set). The session length for the access token however is shorter. In our case, it is determined by our external identity provider and out of our control.