Getting error 400 when using SSO on AWS - OIDC: StartDeviceAuthorization
mvukadinoff opened this issue · comments
- I am using the latest release of AWS Vault
- I have provided my
.aws/config
(redacted if necessary) - I have provided the debug output using
aws-vault --debug
(redacted if necessary)
Getting error: " operation error SSO OIDC: StartDeviceAuthorization, https response error StatusCode: 400" while trying to open a session to AWS using SSO.
.aws/config:
[default]
region = us-east-1
[netm]
region = us-east-1
mfa_serial = arn:aws:iam::865986XXXXXX:mfa/yyyy.zzzzzz
[profile dd-container-large-dev]
region = eu-central-1
sso_region=eu-central-1
sso_start_url=https://mycompany-login.awsapps.com/start#/
sso_account_id=580824500XXX
sso_role_name=DeliveryPlatform_DEV
[profile dd-container-large-stg]
region = ap-northeast-1
sso_start_url=https://mycompany.awsapps.com/start#/
sso_region=eu-central-1
sso_account_id=693325994XXX
sso_role_name=DeliveryPlatform_STG
[profile dd-container-large-live]
region = ap-northeast-1
sso_start_url=https://mycompany-login.awsapps.com/start#/
sso_region=eu-central-1
sso_account_id=489430567XXX
sso_role_name=DeliveryPlatform_PRD
[profile dd-container-large-stg-eu]
region=eu-central-1
sso_start_url=https://mycompany-login.awsapps.com/start#/
sso_region=eu-central-1
sso_account_id=693325994XXX
sso_role_name=DevOpsStores_STG
Result from command that used to work on 22.07.2022
$ aws-vault --debug exec dd-container-large-dev -- aws --region eu-central-1 eks update-kubeconfig --name multi-01
2022/07/24 16:17:37 aws-vault v6.6.0
2022/07/24 16:17:37 Loading config file /home/mvukadinoff/.aws/config
2022/07/24 16:17:37 Parsing config file /home/mvukadinoff/.aws/config
2022/07/24 16:17:37 [keyring] Considering backends: [secret-service]
2022/07/24 16:17:37 Created new OIDC client (expires at: 2022-10-22 16:17:37 +0300 EEST)
aws-vault: error: exec: Failed to get credentials for dd-container-large-dev: operation error SSO OIDC: StartDeviceAuthorization, https response error StatusCode: 400, RequestID: 9486a914-ebc3-42d8-814f-ee4ca925867a, InvalidRequestException:
I suspect something might have changed on the AWS SSO API or maybe authentication mechanism.
Until now aws-vault opened a browser window that prompted for login - we use Microsoft AD SSO , where we have also MFA. After login in the browser and generating temporary credentials they're stored in the vault.
This worked fine so far.
I tried updating aws-vault to latest stable version
$ aws-vault --version
v6.6.0
$ aws-vault login dd-container-large-dev
aws-vault: error: login: Failed to get credentials: operation error SSO OIDC: StartDeviceAuthorization, https response error StatusCode: 400, RequestID: 90b14d73-55e5-4a04-8c99-6f98feedac57, InvalidRequestException:
Possibly related issue:
#948
Just for your information, we experience the same issue today on eu-central-1
region. This was fixed lately by AWS and everything is working again. The call to the /device_authorization
route was returning 400 error
only on eu-central-1
seems this issue was with AWS