Getting error 400 when using SSO on AWS - OIDC: StartDeviceAuthorization

Question

Getting error 400 when using SSO on AWS - OIDC: StartDeviceAuthorization

mvukadinoff opened this issue 2 years ago · comments

I am using the latest release of AWS Vault
I have provided my .aws/config (redacted if necessary)
I have provided the debug output using aws-vault --debug (redacted if necessary)

Getting error: " operation error SSO OIDC: StartDeviceAuthorization, https response error StatusCode: 400" while trying to open a session to AWS using SSO.

.aws/config:

[default]
region = us-east-1

[netm]
region = us-east-1
mfa_serial = arn:aws:iam::865986XXXXXX:mfa/yyyy.zzzzzz


[profile dd-container-large-dev]
region = eu-central-1
sso_region=eu-central-1
sso_start_url=https://mycompany-login.awsapps.com/start#/
sso_account_id=580824500XXX
sso_role_name=DeliveryPlatform_DEV

[profile dd-container-large-stg]
region = ap-northeast-1
sso_start_url=https://mycompany.awsapps.com/start#/
sso_region=eu-central-1
sso_account_id=693325994XXX
sso_role_name=DeliveryPlatform_STG

[profile dd-container-large-live]
region = ap-northeast-1
sso_start_url=https://mycompany-login.awsapps.com/start#/
sso_region=eu-central-1
sso_account_id=489430567XXX
sso_role_name=DeliveryPlatform_PRD


[profile dd-container-large-stg-eu]
region=eu-central-1
sso_start_url=https://mycompany-login.awsapps.com/start#/
sso_region=eu-central-1
sso_account_id=693325994XXX
sso_role_name=DevOpsStores_STG

Result from command that used to work on 22.07.2022

$ aws-vault --debug exec dd-container-large-dev -- aws --region eu-central-1 eks update-kubeconfig --name multi-01
2022/07/24 16:17:37 aws-vault v6.6.0
2022/07/24 16:17:37 Loading config file /home/mvukadinoff/.aws/config
2022/07/24 16:17:37 Parsing config file /home/mvukadinoff/.aws/config
2022/07/24 16:17:37 [keyring] Considering backends: [secret-service]
2022/07/24 16:17:37 Created new OIDC client (expires at: 2022-10-22 16:17:37 +0300 EEST)
aws-vault: error: exec: Failed to get credentials for dd-container-large-dev: operation error SSO OIDC: StartDeviceAuthorization, https response error StatusCode: 400, RequestID: 9486a914-ebc3-42d8-814f-ee4ca925867a, InvalidRequestException:

I suspect something might have changed on the AWS SSO API or maybe authentication mechanism.

Until now aws-vault opened a browser window that prompted for login - we use Microsoft AD SSO , where we have also MFA. After login in the browser and generating temporary credentials they're stored in the vault.
This worked fine so far.

I tried updating aws-vault to latest stable version
$ aws-vault --version
v6.6.0

$ aws-vault login dd-container-large-dev
aws-vault: error: login: Failed to get credentials: operation error SSO OIDC: StartDeviceAuthorization, https response error StatusCode: 400, RequestID: 90b14d73-55e5-4a04-8c99-6f98feedac57, InvalidRequestException:

Possibly related issue:
#948

Simone Veronese · Answer 1 · Mon Jul 25 2022 22:14:27 GMT+0800 (China Standard Time)

Just for your information, we experience the same issue today on eu-central-1 region. This was fixed lately by AWS and everything is working again. The call to the /device_authorization route was returning 400 error only on eu-central-1

Michael Tibben · Answer 2 · Thu Sep 01 2022 06:31:51 GMT+0800 (China Standard Time)

seems this issue was with AWS