aws-toolkit-vscode: InvalidGrantException: UnknownError

@haufam @semanur-prenuvo

The most recent Toolkit version will no longer always request CodeWhisperer scopes when adding an IAM Identity Center connection. If you’ve already added a connection you will need to use the “AWS: Sign out” command and start over.

@Frosty1442 @BwL1289 @malikalimoekhamedov @dvfariaf-bops @droddy @ChristianTashev @Port-Wallis-Technologies @cosmincatalin @johnfischbeck @yfengBTI @OrYairWaterCooler @jeevanullas @thehappycheese @oyatrides @azizur @BigKatGalarraga

Most of the causes for InvalidGrantException should be fixed by in v1.70.0, however, it’s still possible to run into this problem when trying to use CodeWhisperer without enabling it in IAM Identity Center. It’s also possible to see “Invalid grant provided” in the browser when using an incorrect region. As long as you do not explicitly login through the CodeWhisperer node and select a valid region then you should have no problems. There should not be CodeWhisperer scopes in the consent page.

After connecting to IAM Identity Center, any AWS account/roles that you have access to will show if you click “Select IAM Credentials to View Resources” in the AWS explorer. Available accounts/roles will also show when clicking the AWS status bar item.

Let us know if there are any more problems!

The repository I use for reference is https://github.com/cosmincatalin/rust-playground. I start a codespace environment based on the .devcontainer in said repository. I use the latest version of the toolkit.

Trying to configure from the CLI is successful

Okay so I was able to make this work in my environment and not sure if it will help others but I missed an important step in setup which is to add the user (I am using IAM Identity Center) to Code Whisperer (step 8 mentioned here https://docs.aws.amazon.com/codewhisperer/latest/userguide/as-whisper-admin.html#codewhisperer-setup-enterprise-admin-authorize). After completing that step I was able to connect via AWS Toolkit. Hope this helps other.

Looks like there is a manual setting up required to make CodeWhisperer work. The error message could help by pointing people to docs here: https://docs.aws.amazon.com/codewhisperer/latest/userguide/setting-up.html

This is nonsense. Why do we have to subscribe to Code Whisper Professionals in order to connect to IAM Identity Center via AWS Toolkit VSCode? We will have to pay $19/user/month for Code Whisper Professionals, so basically it means we must pay in order to connect to IAM Identity Center

so … vscode blows up badly trying to create a new connection but if I use the configured ROOT profile (yes bad practice) it works fine

Edited to add, this is the result of the attempt to create a new profile in vscode.

Now suspecting a privileges issue. Is there a role/policy that needs to be included?

for people like me still having issues, I figured out that if you try to connect CW before setting up the SSO credentials and default region, it would save something in VSCode cache that will mess up future tentatives. If you see more profiles that you have in the AWS config then you have the same as me.

Clearing the AppData\Roaming\Code folder did the trick although it’s a bit nuclear, clearing Cache folders did not solve the issue, I guess there is a specific cache folder for aws IdP in vscode.

Latest release of AWS Toolkit (1.75) includes #3498 which should reduce the frequency of InvalidGrantException.

Has anyone here noticed improvements?

Thanks @jeevanullas . The link you provided fixed my issue. I was also having the problems connecting through Identity Center. Once I granted access to the users that needed it, I tried again and now connected. Follow this link: https://docs.aws.amazon.com/codewhisperer/latest/userguide/as-whisper-admin.html#codewhisperer-setup-enterprise-admin-authorize and check off the users that need access.

Doesn’t work either for me. I have created my accounts through AWS Control Tower, using IAM identity center as well, but I created this in the eu-west-3 region, not us-east-1. Should it still work ?

I tried to connect trhough the “Connect to AWS to Get Started” which gave me the error :

Details

2023-04-15 09:49:23 [ERROR]: API response (oidc.eu-west-3.amazonaws.com /token): { name: ‘InvalidGrantException’, ‘$fault’: ‘client’, ‘$metadata’: { httpStatusCode: 400, requestId: ‘xxxx’, extendedRequestId: undefined, cfId: undefined }, error: ‘invalid_grant’, error_description: ‘Invalid grant provided’, message: ‘UnknownError’ } 2023-04-15 09:49:23 [ERROR]: aws.auth.addConnection: InvalidGrantException: UnknownError

And then I tried to connect with the CodeWhisperer Start button, which is the same workflow, apparently, but gives another error:

Details

2023-04-15 09:49:46 [ERROR]: API response (oidc.eu-west-3.amazonaws.com /token): { name: ‘InvalidGrantException’, ‘$fault’: ‘client’, ‘$metadata’: { httpStatusCode: 400, requestId: ‘xxxx’, extendedRequestId: undefined, cfId: undefined }, error: ‘invalid_grant’, error_description: ‘Invalid grant provided’, message: ‘UnknownError’ } 2023-04-15 09:49:46 [ERROR]: aws.codeWhisperer.sso: Error: Failed to connect to IAM Identity Center [FailedToConnect] -> InvalidGrantException: UnknownError

I don’t know if this can help, or if it’s not relevant to know.

I am facing the same problem.

2023-04-14 10:18:00 [ERROR]: log level: info
2023-04-14 10:18:00 [INFO]: Retrieving AWS endpoint data
2023-04-14 10:18:00 [INFO]: OS: Darwin x64 22.4.0
2023-04-14 10:18:00 [INFO]: Visual Studio Code extension host:  1.77.3
2023-04-14 10:18:00 [INFO]: AWS Toolkit:  1.68.0
2023-04-14 10:18:00 [INFO]: node: 16.14.2
2023-04-14 10:18:00 [INFO]: electron: 19.1.11

2023-04-14 10:19:02 [ERROR]: API response (oidc.ap-southeast-2.amazonaws.com /token): {
  name: 'InvalidGrantException',
  '$fault': 'client',
  '$metadata': {
    httpStatusCode: 400,
    requestId: '85659e66-c1a5-40fe-802a-894077ade75d',
    extendedRequestId: undefined,
    cfId: undefined
  },
  error: 'invalid_grant',
  error_description: 'Invalid grant provided',
  message: 'UnknownError'
}
2023-04-14 10:19:02 [ERROR]: aws.codeWhisperer.sso: Error: Failed to connect to IAM Identity Center [FailedToConnect]
	 -> InvalidGrantException: UnknownError

Any suggestions on things I could try to workaround this annoying problem?

I’ve got the same issue. Any update on resolution?

@Port-Wallis-Technologies, I’ve tried with root credentials without success.

I follow the same steps as above but get slightly different results which is leading me to suspect a config issue on my part or the plugin needed an upgrade.

Firstly, I will note that CLI is not functioning as I would expect so it is unsurprising that VSCode is confused.

So, off the top, the instructions here are incorrect as I see them:

but I see this

so that is one bit of weirdness.

I also do not see a sso-session section in my .aws/config file although I do see the “abc” profile set up

and yes, this is after I login with the abc profile

Now, the final bit of weirdness. If I select my root account from the available list (which no is not good practice) I see everything i expect (a bunch of buckets). The other accounts that I have used all have the policy “AWSS3FullAccess” attached to them and so SHOULD return the same results from an S3 ls but they get an empty list (as seen above)

My thinking is that aws configure sso is doing something weird and that is hopelessly confusing vscode

Also experiencing this. Commenting for updates. Believe this is related to/duplicate of 3009.

FYI - my IAM identity center start URL is in us-east-1