How to stop constantly having to aws sso login while using node cdk cli, much more frequently than sessions should allow?

Question

As mentioned in this aws-cdk issue: https://github.com/aws/aws-cdk/issues/24782 my whole team is needing to run `aws sso login` more frequently than our session times are set to. The sessions appear to last less than 30 minutes currently, and so during the course of the day we're forced to run that command and it's multiple steps (browser window, accept etc) many, many times a day.

Locally we don't directly use aws cli commands often, mostly using aws cdk cli commands instead, and apparently the issue is that the cdk doesn't do the token refreshing as it should and so we're left with the initial token which expires and nothing attempts to do a token refresh. So we're then forced to go through the `aws sso login` dance again.

We are running our development environments within VS Code Dev Containers, but the SSO configuration is hooked into our local sso configuration files for aws.

Things we've tried and checked:
* Checked session times both in Google (the SSO provider) and in our Permission Sets
* Setup a cron job to run `aws s3 ls` every few minutes, but that runs fine without sso login even being required, and doesn't make the session last longer

We're at a loss as to how to stop losing quite a bit of time to discovering part way through a deployment or piece of work that we've been logged out again and need to reauth.

Answer

Thanks for your answer!

We've already tried pushing up the AWS SSO session length, but it's not that which gets hit and forces another login, it's the much shorter initial token lifespan. When using the AWS CLI, it will continue to use the refresh token to go and get new valid session tokens as you use it. It appears that the CDK lib doesn't do this, and instead once that initial, short lived, token expires, that's it, session over, go through the process again.

We could wrap our calls in something like that, except the problem is that the `aws sso login` call isn't something that can happen silently in the background, it opens a webpage to ask for permission to grant permissions.

Thanks though :)

Answer

There isn't a definitive solution to this issue. However, there are a few potential workarounds that you could consider.

Here are two possible solutions:

1. Increase the session duration: If you have control over the AWS SSO settings, you might consider increasing the session duration to the maximum allowed value. This should decrease the frequency at which your team has to re-login. However, it's worth noting that this is more of a band-aid solution than a proper fix.

2. Use AWS CLI v2's auto-refresh capability with a helper script: AWS CLI v2 has the ability to automatically refresh SSO tokens when necessary, so you might consider using a wrapper script around the cdk commands that you're using which can ensure that the necessary tokens are refreshed before they're used.

You could create a simple bash script as follows:
```
#!/bin/bash

# Refresh SSO credentials
aws sso login

# Call original CDK command
cdk "$@"
```

This will ensure that each time you run your cdk commands via this script, it will refresh your SSO login.

Remember to replace "region" and "sso_account_id" with your specific values, and you'll need to mark this script as executable with chmod +x.

I know this is not the perfect solution, but until AWS resolves this issue, I hope this could help in mitigating the frequent login requirement.

Please note that these solutions are just workarounds, and the best long-term solution would be for AWS CDK to handle AWS SSO credentials properly. Keep an eye on the AWS CDK GitHub issue that you mentioned for updates from the AWS team.

How to stop constantly having to aws sso login while using node cdk cli, much more frequently than sessions should allow?

Relevant content