Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

okta-aws throws InvalidClientTokenId #333

Closed
radekl opened this issue Aug 20, 2019 · 3 comments
Closed

okta-aws throws InvalidClientTokenId #333

radekl opened this issue Aug 20, 2019 · 3 comments

Comments

@radekl
Copy link

radekl commented Aug 20, 2019

Describe the bug
We have discovered that starting from today for some reasons okta-aws stopped to work properly. We receive error:

An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.

while trying to execute: okta-aws my-profile sts get-caller-identity

To Reproduce

  1. call okta-aws my-profile sts get-caller-identity
  2. profile is created/updated both in ~/.okta/profile and ~/.aws/credentials, though command is not executed properly.

Also running directly jar file without = sign throws an error like here:

$ env OKTA_PROFILE=my-okta-profile java -Djava.util.logging.config.file=~/.okta/logging.properties -classpath ~/.okta/okta-aws-cli.jar com.okta.tools.WithOkta aws --profile my-okta-profile sts get-caller-identity

An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.

while following works properly:

$ env OKTA_PROFILE=my-okta-profile java -Djava.util.logging.config.file=~/.okta/logging.properties -classpath ~/.okta/okta-aws-cli.jar com.okta.tools.WithOkta aws --profile=my-okta-profile sts get-caller-identity
{
    "UserId": (...)

Issue exists only in shell (not in intellij in this case at least).

Expected behavior
okta-aws should pass proper profile to aws cli command

Additional context

My operating system is MacOS 10.14.6
Doesn't work both in zsh nor bash:

$ zsh --version
zsh 5.3 (x86_64-apple-darwin18.0)
 $ bash --version
GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin18)
Copyright (C) 2007 Free Software Foundation, Inc.

This seems to fix the issue, although not sure why because testing it in intellij both ways works as designed without any issue.

3c3
<     withokta "aws --profile $1" $@
---
>     withokta "aws --profile=$1" $@
11c11
<     withokta "aws --profile $1" $@
---
>     withokta "aws --profile=$1" $@
@jeremyplichtafc
Copy link
Contributor

based on your recommended fix with quoting it seems you have a bit older version of this project. I think your issue was fixed in #298 and released in 2.0.3. Can you make sure you install the latest again with

PREFIX=~/.okta bash <(curl -fsSL https://raw.githubusercontent.com/oktadeveloper/okta-aws-cli-assume-role/master/bin/install.sh) -i

and let me know if you still see the issue?

@radekl
Copy link
Author

radekl commented Aug 22, 2019

Well, somehow reinstallation fixed the issue even though I had already v2.0.3. Currently works on both 2.0.3 and latest 2.0.4. Not sure why this error just appeared. Anyway sorry for false-alarm.

@radekl radekl closed this as completed Aug 22, 2019
@sharath-sequoia
Copy link

I had got into the same issue. For me, deleting the rm .okta/profiles file got it fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@radekl @jeremyplichtafc @sharath-sequoia