aws-vault: aws-vault: error: login: Failed to get credentials for REDACTED: : Session token not found or invalid status code: 401, request id:
OS: MacOS Big Sur, Version 11.1
- [+] I am using the latest release of AWS Vault v6.2.0
- [+] I have provided my
.aws/config(redacted if necessary)
[profile REDACTED]
sso_start_url = https://REDACTED
sso_region = eu-west-1
sso_account_id = REDACTED
sso_role_name = AWSAdministratorAccess
region = eu-central-1
output = json
[profile REDACTED]
sso_start_url = https://REDACTED
sso_region = eu-west-1
sso_account_id = REDACTED
sso_role_name = AdministratorAccess
region = eu-central-1
output = json
- [+] I have provided the debug output using
aws-vault --debug(redacted if necessary)
$ aws-vault --debug login REDACTED
2021/02/11 17:18:55 aws-vault v6.2.0
2021/02/11 17:18:55 [keyring] Considering backends: [keychain]
2021/02/11 17:18:55 Loading config file /Users/yulia/.aws/config
2021/02/11 17:18:55 Parsing config file /Users/yulia/.aws/config
2021/02/11 17:18:55 Profile 'default' missing in config file
2021/02/11 17:18:55 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2021/02/11 17:18:55 [keyring] Found 2 results
2021/02/11 17:18:55 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2021/02/11 17:18:55 [keyring] Found 2 results
2021/02/11 17:18:55 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2021/02/11 17:18:55 [keyring] Found 2 results
2021/02/11 17:18:55 [keyring] Querying keychain for service="aws-vault", account="sso.GetRoleCredentials,R2xvYnVzLVN0YWdpbmc,aHR0cHM6Ly9kLTkzNjcwM2Q2NjIuYXdzYXBwcy5jb20vc3RhcnQv,-62135596800", keychain="aws-vault.keychain"
2021/02/11 17:18:55 [keyring] No results found
2021/02/11 17:18:55 [keyring] Querying keychain for service="aws-vault", account="oidc:https://REDACTED", keychain="aws-vault.keychain"
2021/02/11 17:18:55 [keyring] Found item "aws-vault oidc token for https://REDACTED/ (expires 2021-02-11T23:21:21+02:00)"
aws-vault: error: login: Failed to get credentials for REDACTED: : Session token not found or invalid
status code: 401, request id:
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 28
- Comments: 21 (3 by maintainers)
I had the same issue today. Running ‘aws-vault clear’ fixed the issue for me.
Same here for couple of days using AWS SSO;
aws-vault clearremoved invalid sessions and works now.AWS support just responded to let us know that the change has been reverted, and I can confirm that
CreateTokenis again returningexpiresIn: 28800Just to cross post from https://github.com/99designs/aws-vault/issues/854.
Our AWS support has confirmed they see an issue internally and our TAM is working with the SSO team at AWS to identify the issue and hopefully resolve it.
Update: AWS confirmed they have an open case open, with multiple TAMs internally noting their customers also have this issue. I guess AWS is working on it but not too much insight as of now.
Our team also has started to see this a lot now a days. Any help would be appreciated.
aws-vault clearclears the invalid token but it doesn’t seem ideal.Recently
aws-vaultstarted to misbehave for me as described in this ticket. It was working for months without any problems but something must have changed that now when the AWS SSO login expires, I see this:Of course
aws-vault clearworks, but in the past it was not necessary - if the SSO credentials have expired, then the login window popped up automatically. Now I need to explicitly remove them beforehand, which is annoying.I am using
v6.3.1on macOS (with Keychain as a storage backend) and on Ubuntu (withpass) and it’s broken on both systems.Clearing this with aws-vault clear is not working for me this morning. There must’ve been a change on the AWS side?
Edit: After reconfiguring, I’m now getting this. aws-vault clear is still having no effect:
Also getting this in Linux, starting very recently. So, I don’t think this is limited to OSX or its keyring.