I'm trying to get authenticated using my SSO account, which does seem to be working, but as soon as I call GetCallerIdentity()
on the sts
client, I get an invalid token id error. On my laptop, I am logged in to the same SSO profile that I'm trying to use and I can run aws sts get-caller-identity
from the command line just fine.
func whoAmI() {
ctx := context.TODO()
fmt.Printf("AWS profile: '%s'\n", os.Getenv("AWS_PROFILE")) // shows the name of the profile under which i'm currently authenticated just for reference
cfg, err := config.LoadDefaultConfig(
ctx,
config.WithSharedConfigProfile("same-profle-name-as-above"),
)
if err != nil {
log.Fatal(err)
}
fmt.Printf("%+v\n", cfg) // shows me all the right stuff (keys, region, etc.)
client := sts.NewFromConfig(cfg)
identity, err := client.GetCallerIdentity(
ctx,
&sts.GetCallerIdentityInput{},
)
if err != nil {
log.Fatal(err)
}
fmt.Printf("%+v", identity)
return nil
}
Result:
operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: <whatever>, api error InvalidClientTokenId: The security token included in the request is invalid
What am I missing here? As mentioned, I can run the analogous awscli command with no issue and I have full admin access to the account.
It's correct. I have a few data points to indicate that I am authenticated at the command line level and this line indicates that the Go code seems to recognize the env variable is set, but most importantly, the
fmt.Printf("%+v\n", cfg)
statement prints exactly what I'd expect to see. It's reading my config and fetching the correct information.Try deleting the cache of credentials, etc.
You can remove it with the following command.
Windows:
Linux:
Now it is time to make sure that your profile is up-to-date with the following.
No luck after deleting the cache. My profile itself is fine - as mentioned, when I dump the identity value all of the info I'd expect is both present and accurate including recognizing my administrator role (
SSORoleName:AdministratorAccess
). The code is definitely reading the profile properly, it's just getting rejected upstream for some reason. I've now tried with both STS (from the original post) and the SecretsManager services. Both fail for similar reasons (security token) even though the response code is different for whatever reason.