By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Go SDK v2 + SSO question

0

I'm trying to get authenticated using my SSO account, which does seem to be working, but as soon as I call GetCallerIdentity() on the sts client, I get an invalid token id error. On my laptop, I am logged in to the same SSO profile that I'm trying to use and I can run aws sts get-caller-identity from the command line just fine.

func whoAmI() {
		ctx := context.TODO()

		fmt.Printf("AWS profile: '%s'\n", os.Getenv("AWS_PROFILE")) // shows the name of the profile under which i'm currently authenticated just for reference

		cfg, err := config.LoadDefaultConfig(
			ctx,
			config.WithSharedConfigProfile("same-profle-name-as-above"),
		)
		if err != nil {
			log.Fatal(err)
		}

		fmt.Printf("%+v\n", cfg) // shows me all the right stuff (keys, region, etc.)

		client := sts.NewFromConfig(cfg)
		identity, err := client.GetCallerIdentity(
			ctx,
			&sts.GetCallerIdentityInput{},
		)
		if err != nil {
			log.Fatal(err)
		}

		fmt.Printf("%+v", identity)

		return nil
}

Result:

operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: <whatever>, api error InvalidClientTokenId: The security token included in the request is invalid

What am I missing here? As mentioned, I can run the analogous awscli command with no issue and I have full admin access to the account.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Command Line Interface
Language
English
robwilkerson
asked a year ago408 views
1 Answer
0

"fmt.Printf("AWS profile: '%s'\n", os.Getenv("AWS_PROFILE"))" seems to display authentication information, are you sure you have the correct content here?
If not, try setting environment variables in the shell where you are running the script.

export AWS_ACCESS_KEY_ID="ACCESS_KEY_ID"
export AWS_SECRET_ACCESS_KEY="SECRET_ACCESS_KEY"
export AWS_SESSION_TOKEN="SESSION_TOKEN"
profile picture
EXPERT
Riku_Kobayashi
answered a year ago
  • robwilkerson
    a year ago

    It's correct. I have a few data points to indicate that I am authenticated at the command line level and this line indicates that the Go code seems to recognize the env variable is set, but most importantly, the fmt.Printf("%+v\n", cfg) statement prints exactly what I'd expect to see. It's reading my config and fetching the correct information.

  • Riku_Kobayashi EXPERT
    a year ago

    Try deleting the cache of credentials, etc.
    You can remove it with the following command.
    Windows:

    del /s /q %UserProfile%\.aws\cli\cache

    Linux:

    rm -r ~/.aws/cli/cache

    Now it is time to make sure that your profile is up-to-date with the following.

    [default]
aws_access_key_id = XXXXXXXXX
aws_secret_access_key = XXXXXXXXX
aws_session_token=XXXXXXXXX
  • robwilkerson
    a year ago

    No luck after deleting the cache. My profile itself is fine - as mentioned, when I dump the identity value all of the info I'd expect is both present and accurate including recognizing my administrator role (SSORoleName:AdministratorAccess). The code is definitely reading the profile properly, it's just getting rejected upstream for some reason. I've now tried with both STS (from the original post) and the SecretsManager services. Both fail for similar reasons (security token) even though the response code is different for whatever reason.

    operation error Secrets Manager: ListSecrets, https response error StatusCode: 400, RequestID: b52c4071-4949-4508-a3f8-1d521fea1f3b, api error UnrecognizedClientException: The security token included in the request is invalid

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content