KeyError: 'refreshToken' after updating to 1.2.0

[emilburzo]

After upgrading to yawsso 1.2.0 I'm getting the following:

$ yawsso 
Traceback (most recent call last):
  File "/usr/bin/yawsso", line 33, in <module>
    sys.exit(load_entry_point('yawsso==1.2.0', 'console_scripts', 'yawsso')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/yawsso/cli.py", line 229, in main
    credentials = core.update_profile(profile_name, co.config)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/yawsso/core.py", line 279, in update_profile
    credentials = fetch_credentials(profile_name, profile)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/yawsso/core.py", line 149, in fetch_credentials
    role_cred_success, role_cred_output = session_refresh(profile_name, profile, cached_login)
                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/yawsso/core.py", line 131, in session_refresh
    create_token_success, create_token_output = create_access_token(cached_login)
                                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/yawsso/core.py", line 96, in create_access_token
    f"--refresh-token {cached_login['refreshToken']}"
                       ~~~~~~~~~~~~^^^^^^^^^^^^^^^^
KeyError: 'refreshToken'

Nothing changed in my environment and downgrading to 1.1.0 fixes it.

Let me know if you need any more information.

redacted trace output

2024-03-15 10:50:56,297 yawsso       TRACE    Logging level: TRACE
2024-03-15 10:50:56,297 yawsso       TRACE    args: Namespace(default=False, default_only=False, profiles=None, bin=None, debug=False, trace=True, export_vars1=False, version=False, region=False, command=None)
2024-03-15 10:50:56,297 yawsso       TRACE    AWS_CONFIG_FILE: /home/emil/.aws/config
2024-03-15 10:50:56,297 yawsso       TRACE    AWS_SHARED_CREDENTIALS_FILE: /home/emil/.aws/credentials
2024-03-15 10:50:56,297 yawsso       TRACE    AWS_SSO_CACHE_PATH: /home/emil/.aws/sso/cache
2024-03-15 10:50:56,297 yawsso       TRACE    Cache SSO JSON files: ['/home/emil/.aws/sso/cache/934cfeb368censored6f278483.json', '/home/emil/.aws/sso/cache/112304e768e6667bd8b7e0f3df49ea691fb9466c.json']
2024-03-15 10:50:56,647 yawsso       DEBUG    aws-cli/2.15.19 Python/3.11.8 Linux/6.7.4-arch1-1 source/x86_64.arch prompt/off
2024-03-15 10:50:56,649 yawsso       DEBUG    Current named profiles in config: ['censored-setup', 'censored:fullaccess', 'censored:readonly', 'censored:ops', 'censored:readonly', ...']
2024-03-15 10:50:56,649 yawsso       DEBUG    Syncing named profiles: ['censored-setup', 'censored:fullaccess', 'censored:readonly', 'censored:ops', 'censored:readonly', 'censored:ops', 'censored:fullaccess', 'censored:readonly', ...']
2024-03-15 10:50:56,649 yawsso       TRACE    Syncing profile... censored-setup: {'sso_start_url': 'https://censored.awsapps.com/start#/', 'sso_region': 'eu-west-1', 'region': 'eu-west-1', 'sso_account_id': 'censored', 'sso_role_name': 'dummy'}
2024-03-15 10:50:56,649 yawsso       TRACE    Using cached SSO login: /home/emil/.aws/sso/cache/934cfeb368censored6f278483.json
2024-03-15 10:50:57,350 yawsso       TRACE    EXCEPTION: 'An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access'
2024-03-15 10:50:57,350 yawsso       TRACE    Attempt using SSO refreshToken to generate accessToken
Traceback (most recent call last):
  File "/tmp/.env/bin/yawsso", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/tmp/.env/lib/python3.11/site-packages/yawsso/cli.py", line 229, in main
    credentials = core.update_profile(profile_name, co.config)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/.env/lib/python3.11/site-packages/yawsso/core.py", line 279, in update_profile
    credentials = fetch_credentials(profile_name, profile)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/.env/lib/python3.11/site-packages/yawsso/core.py", line 149, in fetch_credentials
    role_cred_success, role_cred_output = session_refresh(profile_name, profile, cached_login)
                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/.env/lib/python3.11/site-packages/yawsso/core.py", line 131, in session_refresh
    create_token_success, create_token_output = create_access_token(cached_login)
                                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/.env/lib/python3.11/site-packages/yawsso/core.py", line 96, in create_access_token
    f"--refresh-token {cached_login['refreshToken']}"
                       ~~~~~~~~~~~~^^^^^^^^^^^^^^^^
KeyError: 'refreshToken'

[victorskl]

Hey, could you also check that

From this sso cache JSON file

Using cached SSO login: /home/emil/.aws/sso/cache/934cfeb368censored6f278483.json

... whether you find refreshToken key in there.

Expecting it should have format like this:

{
    "startUrl": "https://censored.awsapps.com/start",
    "region": "eu-west-1",
    "accessToken": "<snip>",
    "expiresAt": "2024-03-13T00:53:20Z",
    "clientId": "<snip>",
    "clientSecret": "<snip>",
    "registrationExpiresAt": "2024-06-06T00:24:58Z",
    "refreshToken": "<snip>"
}

[victorskl]

This debug log message tells me that it is a recent AWS CLI v2 version. So, I am a bit puzzle. It should have used the botocore for the session, if I understood correctly...

2024-03-15 10:50:56,647 yawsso       DEBUG    aws-cli/2.15.19 Python/3.11.8 Linux/6.7.4-arch1-1 source/x86_64.arch prompt/off

Let me try in my local with this version; which is the best I can do to reproduce locally...

[emilburzo]

Interesting, the refreshToken is indeed missing:

$ cat /home/emil/.aws/sso/cache/934cfeb36826ad5642909449b2f429996f278483.json | jq .
{
  "startUrl": "https://censored.awsapps.com/start#/",
  "region": "eu-west-1",
  "accessToken": "<snip>",
  "expiresAt": "2024-03-18T14:00:45Z",
  "clientId": "<snip>",
  "clientSecret": "<snip>",
  "registrationExpiresAt": "2024-06-13T08:25:28Z"
}

Even with a refreshed aws sso login 🤔

But since it works with version 1.1.0, I assume this is something new?

[emilburzo]

Just to eliminate more variables, refreshToken is missing for both the new sso-session style and the legacy one

[victorskl]

Hmm, strange.

I wonder the region matter here. And/or AWS IAM Identity Center API backend version avail in there...

Mine (in ap-southeast-2) cache file has the newer refreshToken field and, total 8 keys in there.

jq 'length' ~/.aws/sso/cache/21826c929977799eab660eb25be86a87ab9a5a2b.json
8

I have added support for this newer sso session cache format with refreshToken due to change request from #90 whereas determining the session expiresAt no longer represent the actual sso login session situation.

Could check to see the linked discussion aws/aws-cli#8305 whether if applicable any.

Or, if you are admin (or point it to your admin) of your AWS Organisation (AWS SSO/IAM Identity Center) setup, perhaps you might need to configure the access portal to work..

https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html

[victorskl]

Perhaps, I can offer backward compatibility on parsing this refreshToken field with next patch-release. Also, it is perfectly ok with sticking to the yawsso version that work for you too, meanwhile.

[emilburzo]

I'm not exactly sure what happened, but I upgraded to 1.2.0 again to try and debug what's going on and... it works?

I no longer see this line in the trace output:

2024-03-15 10:50:57,350 yawsso       TRACE    EXCEPTION: 'An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access'

So I assume the refreshToken code is not reached anymore and that's why I'm not seeing any errors.

Not sure what to make of this though, since I still don't have any refreshToken in ~/.aws/sso/cache/* and nothing else really changed on my side (config, aws-cli version), could it be on AWS' side?

[Kralizek]

I downgraded to 1.1.0 and then upgraded again to 1.2.0 and it gave the error again.

[victorskl]

Is that the same key error that you observed?

KeyError: 'refreshToken'

[Kralizek]

yes, sorry for not being more specific.

[victorskl]

The fact that I couldn't reproduce my end, frustrated me a bit. I'll try my best to investigate; to see whether I can jump onto some EU regions...

Meanwhile, I can advice that it is perfectly ok to stick with 1.1.0 if that work perfectly for you.

What comes with 1.2.0 is supporting this newer IAM Identity Centre and, its oidc and refreshToken for auto refresh session.

[shawndutton-unitas]

Just wanted to say I saw this as well when I upgraded dependencies. Pinning the version to 1.1.0 got me back up and running.

[mpostument]

Getting the same error on yawsso 1.2.0. No errors with 1.1.0

[rsi-mrobinson]

ran into this as well after it was reported to my team by a developer. I upgraded to 1.2.0 and did not encounter the issue until about a week later. I removed the files in ~/.aws/sso/cache and ran yawsso login again without incident.

[crh-hireup]

Confirming I had the same issue described with @rsi-mrobinson above with KeyError: 'refreshToken' on 1.2.0 and deleting the cached files in ~/.aws/sso/cache fixed this for me

[Kazaz-Or]

I have no idea if this is the exact issue described here (although I encountered the same error as above), but when I run it with the -p flag (profiles) issue isn't reproducing for me.

yawsso -p <some-profile>

Hope this helps.

[victorskl]

Hi folks,

@jimwbaldwin contributed the fix which now handle gracefully in absent of refreshToken in sso cache file.

Patch release v1.2.1 is ready as follows.

https://github.com/victorskl/yawsso/releases/tag/1.2.1

pip install -U yawsso==1.2.1

or

pipx upgrade yawsso

Thanks for all the feedback. I will close this for now. Feel free to reopen, if any still stand.