driftctl: Container hang when Okta token expires

Description My Okta token expires after 60 minutes. When it expires and I use aws cli I see an error:

╰─ aws s3 ls s3://<bucketname>

An error occurred (ExpiredToken) when calling the ListObjectsV2 operation: The provided token has expired.

The container hangs in this case and does not display an error. Ideally it would halt and report an error.

Environment

  • OS: Docker 3.0.3 - macos 11.1
  • driftctl version: 0.2.3 - cloudskiff/driftctl 0379037aea34

How to reproduce Use Okta SSO to generate ~/.aws/credentials Let credentials expire

docker run -t --rm \
  -v ~/.aws:/home/.aws:ro \
  -v $(pwd)/terraform.tfstate:/app/terraform.tfstate:ro \
  -v ~/.driftctl:/app/.driftctl \
  -e AWS_PROFILE=$AWS_PROFILE \
cloudskiff/driftctl scan

Possible Solution I think simply halting and displaying an error is correct.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 15 (8 by maintainers)

Most upvoted comments

Hey @Gary-Armstrong this is a bit of a late answer, but we just released v0.12.0 with support for SSO authentications and this should actually fix your issue. Feel free to give it a try 😃

+1
GeraldCrescione on Jul 8, 2021

I am indeed using a named profile, although I didn’t directly specify it you can see I have $AWS_PROFILE in the docker command. This all seems correct, more or less. Sounds like my TF and awscli return immediately since they are up to date, while driftctl is using an older SDK.

In my case, when my credentials expire (one hour), I need to regenerate them myself because AWS CLI will not do it for me. We use a forked and modified https://github.com/oktadeveloper/okta-aws-cli-assume-role and the manual regen is part of my required workflow.

As I said, this all seems generally correct and I thank you for looking into it. I can always simply CTRL-C out of the driftctl execution and regenerate my credentials.

+1
Gary-Armstrong on Feb 4, 2021

Hi @Gary-Armstrong, I tried today to replicate your issue but unfortunately I couldn’t 😦

This is what I had for AWS CLI and terraform plan image

And below for driftctl inside a docker container image

Can you try again with our latest version v0.3.1 ?

+1
wbeuil on Feb 3, 2021
Read more comments on GitHub
← doods2: Exception in ASGI application
driftctl: ThrottlingException: Rate exceeded →