terragrunt: AWS SSO error SSOProviderInvalidToken: the SSO session has expired or is invalid

Describe the bug After logging using aws sso I am able to run aws cli command, deploy terraform modules, however I receive errors related to an invalid session if I try to use Terragrunt

To Reproduce

  1. Log in using aws sso: aws sso login --profile <profile name>
  2. List your bucket: aws s3 ls
  3. Run a plan on a given Terraform module
  4. Try to run a plan with Terragrunt

Expected behavior Terragrunt commands should be able to run as the we are already authenticated.

  • Terminal output (some directories have been sanitized):
DEBU[0000] Did not find any locals block: skipping evaluation.
DEBU[0000] Found locals block: evaluating the expressions.
DEBU[0000] Evaluated 1 locals (remaining 0): aws_region
DEBU[0000] [Partial] Included config <path to project>/us-east-1/region_common.hcl has strategy shallow merge: merging config in (shallow).
DEBU[0000] Found locals block: evaluating the expressions.
DEBU[0000] Found locals block: evaluating the expressions.  prefix=[<Home dir>/repos/IaC]
DEBU[0000] Evaluated 5 locals (remaining 0): dynamodb_table, iam_role, aws_account_id, terraform_state_s3_bucket, terraform_state_aws_region  prefix=[<Home dir>/repos/IaC]
DEBU[0000] Found locals block: evaluating the expressions.  prefix=[<Home dir>/repos/IaC]
DEBU[0000] Evaluated 5 locals (remaining 0): iam_role, aws_account_id, terraform_state_s3_bucket, terraform_state_aws_region, dynamodb_table  prefix=[<Home dir>/repos/IaC]
DEBU[0000] Evaluated 1 locals (remaining 0): deployment_commons
DEBU[0000] [Partial] Included config <path to project>/terragrunt.hcl has strategy shallow merge: merging config in (shallow).
DEBU[0000] Running command: terraform --version          prefix=[<path to project>/us-east-1/vpc]
DEBU[0000] Terraform version: 1.4.6
DEBU[0000] Reading Terragrunt config file at <path to project>/us-east-1/vpc/terragrunt.hcl
DEBU[0000] Did not find any locals block: skipping evaluation.
DEBU[0000] Found locals block: evaluating the expressions.
DEBU[0000] Evaluated 1 locals (remaining 0): aws_region
DEBU[0000] [Partial] Included config <path to project>/us-east-1/region_common.hcl has strategy shallow merge: merging config in (shallow).
DEBU[0000] Found locals block: evaluating the expressions.
DEBU[0000] Found locals block: evaluating the expressions.  prefix=[<Home dir>/repos/IaC]
DEBU[0000] Evaluated 5 locals (remaining 0): terraform_state_aws_region, dynamodb_table, iam_role, aws_account_id, terraform_state_s3_bucket  prefix=[<Home dir>/repos/IaC]
DEBU[0000] Evaluated 1 locals (remaining 0): deployment_commons
DEBU[0000] [Partial] Included config <path to project>/terragrunt.hcl has strategy shallow merge: merging config in (shallow).
DEBU[0000] Did not find any locals block: skipping evaluation.
DEBU[0000] Found locals block: evaluating the expressions.
DEBU[0000] Evaluated 1 locals (remaining 0): aws_region
DEBU[0000] Included config <path to project>/us-east-1/region_common.hcl has strategy shallow merge: merging config in (shallow) for dependency.
DEBU[0000] Found locals block: evaluating the expressions.
DEBU[0000] Found locals block: evaluating the expressions.  prefix=[<Home dir>/repos/IaC]
DEBU[0000] Evaluated 5 locals (remaining 0): aws_account_id, terraform_state_s3_bucket, terraform_state_aws_region, dynamodb_table, iam_role  prefix=[<Home dir>/repos/IaC]
DEBU[0000] Evaluated 1 locals (remaining 0): deployment_commons
DEBU[0000] Included config <path to project>/terragrunt.hcl has strategy shallow merge: merging config in (shallow) for dependency.
DEBU[0000] Found locals block: evaluating the expressions.
DEBU[0000] Evaluated 1 locals (remaining 0): aws_region
DEBU[0000] Found locals block: evaluating the expressions.
DEBU[0000] Evaluated 1 locals (remaining 0): aws_region
DEBU[0000] Included config <path to project>/us-east-1/region_common.hcl has strategy shallow merge: merging config in (shallow).
DEBU[0000] Found locals block: evaluating the expressions.
DEBU[0000] Found locals block: evaluating the expressions.  prefix=[<Home dir>/repos/IaC]
DEBU[0000] Evaluated 5 locals (remaining 0): terraform_state_s3_bucket, terraform_state_aws_region, dynamodb_table, iam_role, aws_account_id  prefix=[<Home dir>/repos/IaC]
DEBU[0000] Evaluated 1 locals (remaining 0): deployment_commons
DEBU[0000] Found locals block: evaluating the expressions.
DEBU[0000] Found locals block: evaluating the expressions.  prefix=[<Home dir>/repos/IaC]
DEBU[0000] Evaluated 5 locals (remaining 0): terraform_state_s3_bucket, terraform_state_aws_region, dynamodb_table, iam_role, aws_account_id  prefix=[<Home dir>/repos/IaC]
DEBU[0000] Evaluated 1 locals (remaining 0): deployment_commons
DEBU[0000] Included config <path to project>/terragrunt.hcl has strategy shallow merge: merging config in (shallow).
DEBU[0000] Terraform files in <cache dir>/terragrunt-cache/_jqBrbAj4YhJ70GhGygJ049fXow/1DCsnRS7PvRws6ncZHCJ4Xq1oDQ/modules/networking/vpc-example are up to date. Will not download again.
DEBU[0000] Copying files from <path to project>/us-east-1/vpc into <cache dir>/terragrunt-cache/_jqBrbAj4YhJ70GhGygJ049fXow/1DCsnRS7PvRws6ncZHCJ4Xq1oDQ/modules/networking/vpc-example
DEBU[0000] Setting working directory to <cache dir>/terragrunt-cache/_jqBrbAj4YhJ70GhGygJ049fXow/1DCsnRS7PvRws6ncZHCJ4Xq1oDQ/modules/networking/vpc-example
DEBU[0000] The file path <cache dir>/terragrunt-cache/_jqBrbAj4YhJ70GhGygJ049fXow/1DCsnRS7PvRws6ncZHCJ4Xq1oDQ/modules/networking/vpc-example/provider.tf already exists, but was a previously generated file by terragrunt. Since if_exists for code generation is set to "overwrite_terragrunt", regenerating file.  prefix=[<path to project>/us-east-1/vpc]
DEBU[0000] Generated file <cache dir>/terragrunt-cache/_jqBrbAj4YhJ70GhGygJ049fXow/1DCsnRS7PvRws6ncZHCJ4Xq1oDQ/modules/networking/vpc-example/provider.tf.  prefix=[<path to project>/us-east-1/vpc]
DEBU[0000] The file path <cache dir>/terragrunt-cache/_jqBrbAj4YhJ70GhGygJ049fXow/1DCsnRS7PvRws6ncZHCJ4Xq1oDQ/modules/networking/vpc-example/backend.tf already exists, but was a previously generated file by terragrunt. Since if_exists for code generation is set to "overwrite_terragrunt", regenerating file.  prefix=[<path to project>/us-east-1/vpc]
DEBU[0000] Generated file <cache dir>/terragrunt-cache/_jqBrbAj4YhJ70GhGygJ049fXow/1DCsnRS7PvRws6ncZHCJ4Xq1oDQ/modules/networking/vpc-example/backend.tf.  prefix=[<path to project>/us-east-1/vpc]
DEBU[0000] Initializing remote state for the s3 backend  prefix=[<path to project>/us-east-1/vpc]
ERRO[0000] Error finding AWS credentials (did you set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables?): SSOProviderInvalidToken: the SSO session has expired or is invalid
caused by: open <Home dir>/.aws/sso/cache/64041c5d376abe231cc23768caf97288e7e11277.json: no such file or directory
ERRO[0000] Unable to determine underlying exit code, so Terragrunt will exit with error code 1
  • Screenshots: image

Versions

  • Terragrunt version: v0.46.3, I also tried version v0.45.11 and the result is the same.
  • Terraform version: v1.4.6
  • Environment details (Ubuntu 20.04, RHEL 8.):

Additional context Add any other context about the problem here.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 15
  • Comments: 18 (1 by maintainers)

Most upvoted comments

Update 1 (Preferred workaround for now)

I was able to make it to work by configuring AWS SSO without a session name, so when running aws configure sso don’t provide a name for the session when the SSO session name (Recommended): input message is prompted, just hit enter, this will return:

WARNING: Configuring using legacy format (e.g. without an SSO session).
Consider re-running "configure sso" command and providing a session name.

Note: When providing the sso_start_url value make sure that it does NOT contain the # symbol at the end.

Continue with the configuration and now the Terragrunt commands should work

+21
yiskaneto on Jul 17, 2023

here’s a slightly different workaround that is a little less effort:

[profile terraform]
credential_process = aws --profile terraform-sso configure export-credentials --format process
region = <region>
output = json

[profile terraform-sso]
sso_session = <session>
<... rest of SSO config>

Configure the terraform-sso profile with the SSO session name as usual using aws configure sso, then you can point the terraform profile to dump the creds from that one using credential_process, and use AWS_PROFILE=terraform for actually running terraform. You’ll still have to log in with the terraform-sso profile, however.

+8
crotger on Aug 23, 2023

1.6.0 is released now. It would be good to fix this in terragrunt 🎉

+6
benjefferies on Oct 9, 2023

Resolved in v0.53.1 release.

+5
levkohimins on Nov 1, 2023

I can confirm this bug as well.

  • Terrragrunt: 0.47.0
  • Terraform: 1.5.1
  • AWS provider: 5.5.0 Environment details (Apple M1 Pro)
+3
gszakonyGW on Jun 27, 2023

Unfortunately for many of us, using a single profile does not work, hence workaround 1 is flawed as it forces the user to have a nameless sso session.

What I found to be a usable workaround working with multiple accounts (you will loose the auto refresh) is to export the credentials using

aws configure export-credentials --format env

and using those in the shell where you will then use terragrunt.

+2
tsbatista on Jul 28, 2023

Note: When providing the sso_start_url value make sure that it does NOT contain the # symbol at the end.

This fixed my issue

+1
mattmccarty on Jul 19, 2023

Hi,

Is there any ongoing activity resolve this issue? I have been planning to use this problematic approach in a corporate project.

Thank you for accelerate the resolution.

Cheers!

+1
stnorbi on Jun 29, 2023

Update 2 (Leaving here just for informational purposes but don’t use this mehod)

I was able to determine that if the url on the sso_start_url value of the profile block on the ~/.aws.configure file does NOT end with #/ then, the SSOProviderInvalidToken: the SSO session has expired or is invalid error appears when running Terragrunt commands. So configure aws sso as you would normally do assigning a name for the session and the profile but make sure that the urls end with #/. Ultimately the ~/.aws.configure file should look like this

[profile <profile name>]
sso_session = <profile name>
sso_account_id = <account id>
sso_role_name = <role name>
region = <region>
output = <output>
sso_start_url = https://<url>/start#/
sso_region = <region>

[sso-session ska]
sso_start_url = https://<url>/start#/
sso_region = <region>
sso_registration_scopes =<sso_registration_scopes>
+1
yiskaneto on Jul 17, 2023
Read more comments on GitHub
← terragrunt: AWS CLIv2 and AWS SSO auth fails
terragrunt: Can not set variable to null in Terragrunt inputs →